Re: [DNSOP] Public Suffix List

Henrik Nordstrom <henrik@henriknordstrom.net> Wed, 11 June 2008 11:03 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E0A53A689D; Wed, 11 Jun 2008 04:03:10 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E7FB3A689D for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 04:03:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.171
X-Spam-Level:
X-Spam-Status: No, score=-4.171 tagged_above=-999 required=5 tests=[AWL=-1.572, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2Crh4oNijno for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 04:03:04 -0700 (PDT)
Received: from vps1.henriknordstrom.net (vps1.henriknordstrom.net [195.20.207.177]) by core3.amsl.com (Postfix) with ESMTP id E892E28C117 for <dnsop@ietf.org>; Wed, 11 Jun 2008 04:01:49 -0700 (PDT)
Received: from henriknordstrom.net (183.159.216.81.static.tb.siw.siwnet.net [81.216.159.183]) by vps1.henriknordstrom.net (8.13.8/8.13.8/Debian-3) with ESMTP id m5BB25Lh031815; Wed, 11 Jun 2008 13:02:06 +0200
Received: from henrik ([127.0.0.1]) (authenticated bits=0) by henriknordstrom.net (8.12.11.20060308/8.12.8) with ESMTP id m5BB22Hv005523 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 11 Jun 2008 13:02:03 +0200
From: Henrik Nordstrom <henrik@henriknordstrom.net>
To: Gervase Markham <gerv@mozilla.org>
In-Reply-To: <484F9675.70103@mozilla.org>
References: <484CFF47.1050106@mozilla.org> <484D1533.4060300@spaghetti.zurich.ibm.com> <484D1883.4060002@mozilla.org> <sdej76og6p.fsf@wes.hardakers.net> <484D3C57.7010205@mozilla.org> <87abhtw1nv.fsf@mid.deneb.enyo.de> <1213131162.17978.41.camel@henriknordstrom.net> <484F9675.70103@mozilla.org>
Date: Wed, 11 Jun 2008 13:02:02 +0200
Message-Id: <1213182122.3341.75.camel@henriknordstrom.net>
Mime-Version: 1.0
X-Mailer: Evolution 2.10.3 (2.10.3-9.fc7)
X-Virus-Scanned: ClamAV version 0.91, clamav-milter version 0.91 on henriknordstrom.net
X-Virus-Status: Clean
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (vps1.henriknordstrom.net [195.20.207.177]); Wed, 11 Jun 2008 13:02:08 +0200 (CEST)
Cc: dnsop@ietf.org, ietf-http-wg@w3.org, Wes Hardaker <wjhns1@hardakers.net>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0621871920=="
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

On ons, 2008-06-11 at 10:10 +0100, Gervase Markham wrote:

> Other list participants were warning about the possibility of people
> abandoning Firefox in droves if there were cookie-related problems
> caused by its use of public suffix list.

If you do this wronly yes.

> You, on the other hand, are
> suggesting that we can just make changes to the way cookies work and
> expect broken sites to fix themselves. These seem to be two
> irreconcilable views of the future.

No. Neither users or sites are completely static in nature.

> Long history and experience has shown us that we can't just break
> people's weFrom dnsop-bounces@ietf.org  Wed Jun 11 04:03:10 2008
Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 9E0A53A689D;
	Wed, 11 Jun 2008 04:03:10 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 8E7FB3A689D
	for <dnsop@core3.amsl.com>om>; Wed, 11 Jun 2008 04:03:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.171
X-Spam-Level: 
X-Spam-Status: No, score=-4.171 tagged_above=-999 required=5
	tests=[AWL=-1.572, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id p2Crh4oNijno for <dnsop@core3.amsl.com>om>;
	Wed, 11 Jun 2008 04:03:04 -0700 (PDT)
Received: from vps1.henriknordstrom.net (vps1.henriknordstrom.net
	[195.20.207.177])
	by core3.amsl.com (Postfix) with ESMTP id E892E28C117
	for <dnsop@ietf.org>rg>; Wed, 11 Jun 2008 04:01:49 -0700 (PDT)
Received: from henriknordstrom.net (183.159.216.81.static.tb.siw.siwnet.net
	[81.216.159.183])
	by vps1.henriknordstrom.net (8.13.8/8.13.8/Debian-3) with ESMTP id
	m5BB25Lh031815; Wed, 11 Jun 2008 13:02:06 +0200
Received: from henrik ([127.0.0.1]) (authenticated bits=0)
	by henriknordstrom.net (8.12.11.20060308/8.12.8) with ESMTP id
	m5BB22Hv005523
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits8 verify=NOT);
	Wed, 11 Jun 2008 13:02:03 +0200
From: Henrik Nordstrom <henrik@henriknordstrom.net>
To: Gervase Markham <gerv@mozilla.org>
In-Reply-To: <484F9675.70103@mozilla.org>
References: <484CFF47.1050106@mozilla.org>
	<484D1533.4060300@spaghetti.zurich.ibm.com>
	<484D1883.4060002@mozilla.org>
	<sdej76og6p.fsf@wes.hardakers.net> <484D3C57.7010205@mozilla.org>
	<87abhtw1nv.fsf@mid.deneb.enyo.de>
	<1213131162.17978.41.camel@henriknordstrom.net>
	<484F9675.70103@mozilla.org>
Date: Wed, 11 Jun 2008 13:02:02 +0200
Message-Id: <1213182122.3341.75.camel@henriknordstrom.net>
Mime-Version: 1.0
X-Mailer: Evolution 2.10.3 (2.10.3-9.fc7) 
X-Virus-Scanned: ClamAV version 0.91,
	clamav-milter version 0.91 on henriknordstrom.net
X-Virus-Status: Clean
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0
	(vps1.henriknordstrom.net [195.20.207.177]);
	Wed, 11 Jun 2008 13:02:08 +0200 (CEST)
Cc: dnsop@ietf.org, ietf-http-wg@w3.org, Wes Hardaker <wjhns1@hardakers.net>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="=======21871920="
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

On ons, 2008-06-11 at 10:10 +0100, Gervase Markham wrote:

> Other list participants were warning about the possibility of people
> abandoning Firefox in droves if there were cookie-related problems
> caused by its use of public suffix list.

If you do this wronly yes.

> You, on the other hand, are
> suggesting that we can just make changes to the way cookies work and
> expect broken sites to fix themselves. These seem to be two
> irreconcilable views of the future.

No. Neither users or sites are completely static in nature.

> Long history and experience has shown us that we can't just break
> people's bsites like that.

Sites do break in upgrades. Problems arise if you break too many of them
and neither the site operators of users have an easy way around, or when
they do not understand why things broke. Fortunately the area we are
discussing is fundamentally broken by design, and sites do break today
differently in different browsers.

If you want something positive to come out of discussions like this you
have to have a little more open mind in looking where to find solutions.
There is at least 10 different solutions to the cookie domain problem,
of varying complexity and feasibility. Your proposed list is one, and
not a competely bad one, but very incomplete and too static to be
feasible as "the" solution to this problem. But it's a reasonable
interim step to patch things up while discussing how the actual problem
should be addressed.

In short the cookie problem is threefold:

a) Receivers of a cookie have no way of knowing who issued that cookie.

b) Receivers of cookies have no means of indicating who is allowed to
set cookies for them.

c) Issuers of cookies often want to issue a cookie to multiple domains
all of which is under their administrative control, but often have to
figth the very blunt domain based filters. As result we have many
designs using URL based transfer of the cookie details when moving from
one site to another when better operation would be seen if the cookie
could be managed as a single cookie valid for multiple sites. These "URL
based cookie tunnels" is often installed as a way around broken browser
cookie policies, and I would suspect they often create gaping security
issues from lacking awareness of why these policies even exists.

Regards
Henrik
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop