[secdir] [new-work] WG Review: Domain Boundaries (dbound)

The IESG <iesg@ietf.org> Sat, 07 March 2015 00:41 UTC

Return-Path: <new-work-bounces@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FBEA1A8782; Fri, 6 Mar 2015 16:41:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1425688887; bh=tINjCwVV0SpnKCqcyv0NwLH36Ww49Qn2XoHaPySqJZE=; h=MIME-Version:From:To:Message-ID:Date:Subject:Reply-To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=kCKCPRk8YMU4ViKyiLpIpvKlUKh9V9IUesh3wsvLDq5ITzjHDx1a8mGupty+WUbpz dMK17CZRCWqPXY7zGGHOBGqOh7PrcZ8A+GVZraj3frpZ16O1TbZOzjuDFCGRwtUOIM l9tmqq1PNMhhNz7c1RMM4Re8Z+WyWAvyyIblO8go=
X-Original-To: new-work@ietfa.amsl.com
Delivered-To: new-work@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id C171E1A8787; Fri, 6 Mar 2015 16:41:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id dE60q41XnEAA; Fri, 6 Mar 2015 16:41:21 -0800 (PST)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F397E1A8782; Fri, 6 Mar 2015 16:41:20 -0800 (PST)
MIME-Version: 1.0
From: The IESG <iesg@ietf.org>
To: <new-work@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.12.0.p2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150307004120.29910.50845.idtracker@ietfa.amsl.com>
Date: Fri, 06 Mar 2015 16:41:20 -0800
Archived-At: <http://mailarchive.ietf.org/arch/msg/new-work/1GOEJAN9m5mgyiQjndCUgMjCPtY>
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.15
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: new-work-bounces@ietf.org
Sender: "new-work" <new-work-bounces@ietf.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/8t4gcywJFVqhLYN9dQQUBghxzb0>
X-Mailman-Approved-At: Sat, 07 Mar 2015 12:16:52 -0800
Subject: [secdir] [new-work] WG Review: Domain Boundaries (dbound)
X-BeenThere: secdir@ietf.org
Reply-To: iesg@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2015 00:41:27 -0000

A new IETF working group has been proposed in the Applications Area. The
IESG has not made any determination yet. The following draft charter was
submitted, and is provided for informational purposes only. Please send
your comments to the IESG mailing list (iesg at ietf.org) by 2015-03-16.

Domain Boundaries (dbound)
Current Status: Proposed WG

Assigned Area Director:
  Barry Leiba <barryleiba@computer.org>

Mailing list
  Address: dbound@ietf.org
  To Subscribe: http://www.ietf.org/mailman/listinfo/dbound
  Archive: http://www.ietf.org/mail-archive/web/dbound


Various Internet protocols and applications require some mechanism for
determining whether two domain names are related. The meaning of
"related" in this context is not a unitart concept. The DBOUND working
group will develop one or more solutions to this family of problems,
and will clarify the types of relations relevant.

For example, it is often necessary or useful to determine whether
example.com and foo.example.com, or even example.net, are subject to
the same administrative control. To humans, the answer to this may be
obvious. However, the Domain Name System (DNS), which is the service
that handles domain name queries, does not provide the ability to mark
these sorts of relationships. This makes it impossible to discern
relationships algorithmically. The right answer is not always "compare
the rightmost two labels".

Applications and organizations impose policies and procedures that
create additional structure in their use of domain names. This creates
many possible relationships that are not evident in the names
themselves or in the operational, public representation of the names.

Prior solutions for identifying relationships between domain names have
sought to use the DNS namespace and protocol to extract that information
when it isn't actually there.  See the "Additional Background
Information" section, below, for more details.

For the purpose of this work, domain names are identifiers used by
organizations and services, independent of underlying protocols or
mechanisms.  We define an "organizational domain" to be a name that is
at the top of an administrative hierarchy, defining transition from one
"outside" administrative authority to another that is "inside" the

The current way most of this is handled is via a list published at
publicsuffix.org, and the general goal is to accommodate anything people
are using that for today.  However, there are broadly speaking two use
patterns. The first is a "top ancestor organization" case. In this case,
the goal is to find a single superordinate name in the DNS tree that can
properly make assertions about the policies and procedures of 
subordinate names. The second is to determine, given two different 
names, whether they are governed by the same administrative authority. 
The goal of the DBOUND working group is to develop a unified solution, 
if possible, for determining organizational domain boundaries. However, 
the working group may discover that the use cases require different 
solutions. Should that happen, the working group will develop those 
different solutions, using as many common pieces as it can.

Solutions will not involve the proposal of any changes to the DNS
protocol.  They might involve the creation of new resource record types.

This working group will not seek to amend the consuming protocols
themselves (standards for any web, email, or other such protocols)
without rechartering, and such rechartering will only be considered after
completion of the base work.

The working group has a pre-IETF draft to consider as a possible
starting point: draft-sullivan-dbound-problem-statement


Additional Background Information
[to be moved to a Wiki on chartering]

The concept of an administrative boundary is by definition not present
in the DNS.  Relying on the DNS to divine administrative structure thus
renders such solutions unreliable and unnecessarily constrained.  For
example, confirming or dismissing a relationship between two domain
names based on the existence of a zone cut or common ancestry is often
unfounded, and the notion of an upward "tree walk" as a search mechanism
is, therefore, unacceptable.

Currently, the most well known solution in existence is the Public
Suffix List (PSL).  The PSL is maintained by a web browser producer and
is kept current by volunteers on a best-effort basis.  It contains a
list of points in the hierarchical namespace at which registrations take
place, and is used to identify the boundary between so-called "public"
names (below which registrations can occur, such as ".com" or ".org.uk")
and the private names (organizational names) that domain registrars 
create within them.  When this list is inaccurate, it exposes a 
deviation from reality that degrades service to some and can be 
exploited by others.  As the PSL is the de-facto resource, and as there 
is not a more comprehensive, alternative solution for relationship 
identification, the PSL has often been misused to accomplish things 
beyond its capabilities.  For example, there is no way to confirm the 
relationship between two domain names -- the PSL may only signal that 
there is or is not a public boundary between the two. Additionally, 
there are questions about the scalability, central management, and 
third-party management of the PSL as it currently exists.

In terms of specific use cases, within the realm of email there is a
desire to link an arbitrary fully-qualified domain name (FQDN) to the
organizational domain name (at some point in the namespace above it), in
order to identify a deterministic location where some sort of statement
of policy regarding that FQDN can be found.  With respect to the web,
there is a similar need to identify relationships between different
FQDNs, currently accomplished by comparing ancestries.  However, there
is also desire to reliably identify relationships outside of the realm
and constraints of the namespace tree.

Work such as DMARC (draft-kucherawy-dmarc-base), will certainly benefit
from having this capability.

new-work mailing list