Re: [DNSOP] Public Suffix List

Jamie Lokier <jamie@shareable.org> Wed, 11 June 2008 14:28 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D9FF3A69CB; Wed, 11 Jun 2008 07:28:41 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3E363A6928 for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 07:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.963
X-Spam-Level:
X-Spam-Status: No, score=-3.963 tagged_above=-999 required=5 tests=[AWL=-1.364, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIrMJz9wZJgI for <dnsop@core3.amsl.com>; Wed, 11 Jun 2008 07:28:38 -0700 (PDT)
Received: from mail2.shareable.org (mail2.shareable.org [80.68.89.115]) by core3.amsl.com (Postfix) with ESMTP id BE0D83A69C4 for <dnsop@ietf.org>; Wed, 11 Jun 2008 07:28:38 -0700 (PDT)
Received: from jamie by mail2.shareable.org with local (Exim 4.63) (envelope-from <jamie@shareable.org>) id 1K6RJm-00081q-1C; Wed, 11 Jun 2008 15:28:54 +0100
Date: Wed, 11 Jun 2008 15:28:53 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Gervase Markham <gerv@mozilla.org>
Message-ID: <20080611142853.GA30686@shareable.org>
References: <484D5B88.3090902@mozilla.org> <9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org> <484E52F4.5030402@mozilla.org> <20080610111454.GE25910@shareable.org> <87prqpum6n.fsf@mid.deneb.enyo.de> <484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl> <484F965A.1000709@mozilla.org> <20080611103103.GA25556@shareable.org> <484FC15E.8090804@mozilla.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <484FC15E.8090804@mozilla.org>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: dnsop@ietf.org, David Conrad <drc@virtualized.org>, ietf-http-wg@w3.org, Jelte Jansen <jelte@NLnetLabs.nl>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

Gervase Markham wrote:
> > Oh?  How is this reconciled with earlier comments that
> > login.mybank.co.uk and accounts.mybank.co.uk are grouped together - or
> > is the Public Suffix List only for history grouping in browsers, not
> > for cookie sharing?
>
> under the current code ... www.mybank.co.uk can set cookies for
> ... co.uk (shared with adserver.co.uk but not with myorg.org.uk).
>
> It is this latter use we want to prevent. We can do so by stopping
> cookies being set for any domain which is a public suffix.

I'm not seeing how this is different from mybank.livejournal.com
setting cookies on livejournal.com which can be read by
adserver.livejournal.com.  livejournal.com needs to be on your Public
Suffix List to prevent that - if the content from subdomains can set
their own cookies.  Maybe not on Livejournal, but there are sites
where it's possible.

Even in mybank.co.uk, it's typical that login.mybank.co.uk and
thirdpartyinformation.mybank.co.uk will be somewhat independent.  The
latter should not be setting arbitrary cookies affecting the former,
imho - security, rather than privacy.

Regarding the "break the contract with adserver" argument, there are
plenty of ways for mybank.co.uk to pass tracking info to
adserver.co.uk by contract.  Banning cross-domain cookies in this casFrom dnsop-bounces@ietf.org  Wed Jun 11 07:28:41 2008
Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 9D9FF3A69CB;
	Wed, 11 Jun 2008 07:28:41 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id F3E363A6928
	for <dnsop@core3.amsl.com>om>; Wed, 11 Jun 2008 07:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.963
X-Spam-Level: 
X-Spam-Status: No, score=-3.963 tagged_above=-999 required=5
	tests=[AWL=-1.364, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id dIrMJz9wZJgI for <dnsop@core3.amsl.com>om>;
	Wed, 11 Jun 2008 07:28:38 -0700 (PDT)
Received: from mail2.shareable.org (mail2.shareable.org [80.68.89.115])
	by core3.amsl.com (Postfix) with ESMTP id BE0D83A69C4
	for <dnsop@ietf.org>rg>; Wed, 11 Jun 2008 07:28:38 -0700 (PDT)
Received: from jamie by mail2.shareable.org with local (Exim 4.63)
	(envelope-from <jamie@shareable.org>)
	id 1K6RJm-00081q-1C; Wed, 11 Jun 2008 15:28:54 +0100
Date: Wed, 11 Jun 2008 15:28:53 +0100
From: Jamie Lokier <jamie@shareable.org>
To: Gervase Markham <gerv@mozilla.org>
Message-ID: <20080611142853.GA30686@shareable.org>
References: <484D5B88.3090902@mozilla.org>
	<9C47AC3F-A0EA-48BB-9B28-DFD2C4855EB3@virtualized.org>
	<484E52F4.5030402@mozilla.org>
	<20080610111454.GE25910@shareable.org>
	<87prqpum6n.fsf@mid.deneb.enyo.de>
	<484F8DB4.5030500@mozilla.org> <484F8F93.8020808@NLnetLabs.nl>
	<484F965A.1000709@mozilla.org>
	<20080611103103.GA25556@shareable.org>
	<484FC15E.8090804@mozilla.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <484FC15E.8090804@mozilla.org>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: dnsop@ietf.org, David Conrad <drc@virtualized.org>rg>, ietf-http-wg@w3.org,
	Jelte Jansen <jelte@NLnetLabs.nl>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

Gervase Markham wrote:
> > Oh?  How is this reconciled with earlier comments that
> > login.mybank.co.uk and accounts.mybank.co.uk are grouped together - or
> > is the Public Suffix List only for history grouping in browsers, not
> > for cookie sharing?
>
> under the current code ... www.mybank.co.uk can set cookies for
> ... co.uk (shared with adserver.co.uk but not with myorg.org.uk).
>
> It is this latter use we want to prevent. We can do so by stopping
> cookies being set for any domain which is a public suffix.

I'm not seeing how this is different from mybank.livejournal.com
setting cookies on livejournal.com which can be read by
adserver.livejournal.com.  livejournal.com needs to be on your Public
Suffix List to prevent that - if the content from subdomains can set
their own cookies.  Maybe not on Livejournal, but there are sites
where it's possible.

Even in mybank.co.uk, it's typical that login.mybank.co.uk and
thirdpartyinformation.mybank.co.uk will be somewhat independent.  The
latter should not be setting arbitrary cookies affecting the former,
imho - security, rather than privacy.

Regarding the "break the contract with adserver" argument, there are
plenty of ways for mybank.co.uk to pass tracking info to
adserver.co.uk by contract.  Banning cross-domain cookies in this ce
just forces them to use another method.

> (Again, I comment that cookies are not the only way we are using this
> information.)

I don't think anybody minds how you use the information to present
History dialogs and such.  Just whether it breaks applications that
come to depend on the structure of the list, and whether it adds
another barrier for site publishers who serve public content in a way
which resembles NICs.

-- Jamie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


ase
just forces them to use another method.

> (Again, I comment that cookies are not the only way we are using this
> information.)

I don't think anybody minds how you use the information to present
History dialogs and such.  Just whether it breaks applications that
come to depend on the structure of the list, and whether it adds
another barrier for site publishers who serve public content in a way
which resembles NICs.

-- Jamie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop