W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: Public Suffix List

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 10 Jun 2008 03:23:23 +1200
Message-ID: <484D4AEB.7020009@qbik.com>
To: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>
CC: ietf-http-wg@w3.org, dnsop@lists.uoregon.edu

I agree.  I'm really not fond of this idea.

IMHO creating registries and heuristics like this will be about as 
effective as bayesian antispam.

I see it creating a large administrative burden on many people, but 
never catching up with the current state.  I see people relying on it 
for all manner of things for which it's not designed.  Also you're 
dealing with organisations whose prime focus is not maintaining your 
list.  You might get some initial enthusiasm to start, but down the 
track I see that waning.

This is all being proposed to _enable_ cross-site cookies (as opposed to 
just blocking or warning the user).. why not make that aspect explicit?  
I can't see any other way to make it secure.  Ignore DNS, make the 
cookies' realm explicit. 

As for privacy, if an issuer of a cookie prescribes the realms within 
which that cookie may be submitted, then privacy falls under the control 
of the cookie-issuing site.  A compliant browser won't submit it outside 
those realms.

And as for sites colluding... well there are other ways for sites to 
collude to learn things from each other without even involving the 
client. I think we have to accept that if sites really want to collude, 
they will find a way to do so.

Frank Ellermann wrote:
> Gervase Markham wrote:
>  [NIC, WHOIS, and WWW]
>> Interesting, but I don't think it's relevant. What makes you
>> think it is?
> I think that any concept of "globally reserved" SLD labels is
> FUBAR.  What could happen is that your list claims to list all
> SLDs for a given TLD, forgetting NIC, WHOIS, or WWW.  
> What TLDs do is their business, and it could be a can of worms
> if the TLDs are redelegated later.  It would be nice to know 
> the state of the art now for any given TLD, and TLD admins are
> free to publish their policies in an RFC.  Unfortunately most
> don't, offering an official IANA registry where they can do it
> might help, but it is tricky.
> They'd need to be aware that it will be near to impossible to
> change some published practises even after a TLD redelegation.
> E.g., .co.uk is what it is today, any attempt to twist it into
> an ordinary domain or wildcard could cause havoc, but it is 
> hard to find anybody in the position to say MUST NOT.  If TLD
> .uk itself says it, is that binding after a redelegation ?  If
> ICANN says it, do they have a MoU with ccTLD .uk covering it ?
> AFAIK there is no BCP or standards track RFC to justify this.
> If your private list says it, what if they really change their
> rules for some convoluted applications we are not yet aware of,
> say NAPTR ?  What if the DKIM WG invents a new .co.uk wildcard
> for ADSP purposes ?  BTW, they won't, but IMO your list cannot
> guarantee that nobody else does it.
> That you forwarded your question to the HTTPbis list triggered
> my sitefinder.verisign alert, HTTP is not the only user of DNS.
>>> At the time when it was created I submitted a few obscure
>>> cases like .e164.arpa to the SURBL suffix white list, 
>> Where can I find a copy of this list?
> What I had in mind was <http://www.surbl.org/faq.html#cctlds>
> with a link to <http://spamcheck.freeapp.net/two-level-tlds> -
> IMHO the term "two level TLDs" is already too wrong to fix it.
>> We are maintaining it for anyone and everyone to use. If IANA
>> were interested in maintaining this information instead of us,
>> that would be great.
> I think that IANA is not "interested" to create new registries,
> they are "obliged" to do this under RFC 5226 and 2860 rules. :-)
> See <http://www.iab.org/documents/correspondence/index.html> with
> http://www.iab.org/documents/correspondence/IANA-2006/IAB-IANA-Position.htm
> http://www.iab.org/documents/correspondence/2008-02-15-midterm-view-icann-doc-jpa.html
>  Frank

Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Monday, 9 June 2008 15:22:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:46 UTC