Re: [DNSOP] Public Suffix List

Jeroen Massar <jeroen@unfix.org> Tue, 10 June 2008 08:15 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@optimus.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2825B3A695D; Tue, 10 Jun 2008 01:15:19 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 23F693A68F2 for <dnsop@core3.amsl.com>; Tue, 10 Jun 2008 01:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKwNwaxZBVny for <dnsop@core3.amsl.com>; Tue, 10 Jun 2008 01:15:17 -0700 (PDT)
Received: from abaddon.unfix.org (abaddon.unfix.org [IPv6:2001:41e0:ff00:0:216:3eff:fe00:4]) by core3.amsl.com (Postfix) with ESMTP id 460223A67DB for <dnsop@ietf.org>; Tue, 10 Jun 2008 01:15:16 -0700 (PDT)
Received: from [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0] (spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 4162A3D2166; Tue, 10 Jun 2008 10:15:35 +0200 (CEST)
Message-ID: <484E3832.6070108@spaghetti.zurich.ibm.com>
Date: Tue, 10 Jun 2008 10:15:46 +0200
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080421 Lightning/0.8 Thunderbird/2.0.0.14 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <484CFF47.1050106@mozilla.org> <20080609142926.GC83012@commandprompt.com> <484D4191.104@mozilla.org> <20080609154002.GA93967@commandprompt.com> <484D5206.3000806@mozilla.org> <20080609214215.GF10260@commandprompt.com> <1B8CFAA1-E30A-4461-8B4E-BFF6E3A3A39C@nominum.com> <20080610080209.GA1365@nic.fr>
In-Reply-To: <20080610080209.GA1365@nic.fr>
X-Enigmail-Version: 0.95.6
OpenPGP: id=333E7C23
X-Virus-Scanned: ClamAV version 0.93, clamav-milter version 0.93 on abaddon.unfix.org
X-Virus-Status: Clean
Cc: dnsop@ietf.org, Gervase Markham <gerv@mozilla.org>, Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0932058443=="
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

[three possible solutions below, thus keep on reading ;) ]

Stephane Bortzmeyer wrote:
> On Mon, Jun 09, 2008 at 04:53:01PM -0500,
>  Ted Lemon <Ted.Lemon@nominum.com> wrote 
>  a message of 16 lines which said:
> 
>> Why not just set up a list of TLDs in a mozilla.org subdomain, sign
>> the subdomain with DNSSEC, put the DNSSEC public key into firefox,
>> and have firefox consult the TLD list in the DNS, verified with
>> DNSSEC, whenever information is needed?
>=From dnsop-bounces@ietf.org  Tue Jun 10 01:15:19 2008
Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 2825B3A695D;
	Tue, 10 Jun 2008 01:15:19 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 23F693A68F2
	for <dnsop@core3.amsl.com>om>; Tue, 10 Jun 2008 01:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5
	tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id uKwNwaxZBVny for <dnsop@core3.amsl.com>om>;
	Tue, 10 Jun 2008 01:15:17 -0700 (PDT)
Received: from abaddon.unfix.org (abaddon.unfix.org
	[IPv6:2001:41e0:ff00:0:216:3eff:fe00:4])
	by core3.amsl.com (Postfix) with ESMTP id 460223A67DB
	for <dnsop@ietf.org>rg>; Tue, 10 Jun 2008 01:15:16 -0700 (PDT)
Received: from [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0]
	(spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:b00:216:cfff:fe00:e7d0])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested) (Authenticated sender: jeroen)
	by abaddon.unfix.org (Postfix) with ESMTPSA id 4162A3D2166;
	Tue, 10 Jun 2008 10:15:35 +0200 (CEST)
Message-ID: <484E3832.6070108@spaghetti.zurich.ibm.com>
Date: Tue, 10 Jun 2008 10:15:46 +0200
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.8.1.14) Gecko/20080421 Lightning/0.8 Thunderbird/2.0.0.14
	Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <484CFF47.1050106@mozilla.org>	<20080609142926.GC83012@commandprompt.com>	<484D4191.104@mozilla.org>	<20080609154002.GA93967@commandprompt.com>	<484D5206.3000806@mozilla.org>	<20080609214215.GF10260@commandprompt.com>	<1B8CFAA1-E30A-4461-8B4E-BFF6E3A3A39C@nominum.com>
	<20080610080209.GA1365@nic.fr>
In-Reply-To: <20080610080209.GA1365@nic.fr>
X-Enigmail-Version: 0.95.6
OpenPGP: id33E7C23
X-Virus-Scanned: ClamAV version 0.93,
	clamav-milter version 0.93 on abaddon.unfix.org
X-Virus-Status: Clean
Cc: dnsop@ietf.org, Gervase Markham <gerv@mozilla.org>rg>,
	Ted Lemon <Ted.Lemon@nominum.com>
Subject: Re: [DNSOP] Public Suffix List
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>,
	<mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="=======	32058443="
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
[three possible solutions below, thus keep on reading ;) ]

Stephane Bortzmeyer wrote:
> On Mon, Jun 09, 2008 at 04:53:01PM -0500,
>  Ted Lemon <Ted.Lemon@nominum.com> wrote 
>  a message of 16 lines which said:
> 
>> Why not just set up a list of TLDs in a mozilla.org subdomain, sign
>> the subdomain with DNSSEC, put the DNSSEC public key into firefox,
>> and have firefox consult the TLD list in the DNS, verified with
>> DNSSEC, whenever information is needed?
> 20
> Your proposal solves *one* problem (the one well explained by Andrew
> Sullivan), the difficulty of having an up-to-date list in the
> installed browsers.
>  
> It leaves open the other problems:
[..]

And of course the problem of privacy. Asking a mozilla.org or whatever 
remote domain not associated with the primary domain allows all 
mozilla.org (or whatever RBL domain is used) to see at least the domains 
I am locally using. This of course becomes funnier with local domains 
that are only on the Intranet. (Same goes for Email RBL's of course and 
using google and other search engines, every bit of information you 
disclose is a loss for your privacy, it all depends on what you like or 
not like)

As such, if one really wants to have these "LISTS" then let the Domain 
Admins publish them, as they know best. it is there domain after all.

(I) Thus, as I mentioned before, look at the SPF crowd: publish a TXT or 
most likely even better another special record which indicates what 
domains are associated with it, or actually you will want to describe 
which domains are NOT associated with it under that sublevel.

eg:

example.co.uk TXT "v=psl1 +example.co.uk -evil.example.co.uk-all"
example.org   TXT "v=psl1 +good.example.org -all"


(II) Then again, as others mentioned this is after all a HTTP issue, 
thus having a special HTTP header which encodes the above is already 
much better.


(III) Having that list in the cookie is of course another solution which 
solves the problem where it should be solved... and my vote would indeed 
be for the latter: better restrictions on cookie domains.

Yes, that does not resolve it 'directly' globally. But clearly the 
people using cookies don't care about it at the moment, otherwise they 
would be complaining and fixing the problem. If this new cookie 
mechanism is available though and people are made aware of it, they for 
sure are going to use it if they think it solves a part of their 
security issues.

Greets,
  Jeroen

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop