- From: Eric Brunner-Williams <brunner@nic-naa.net>
- Date: Mon, 09 Jun 2008 11:54:14 -0700
- To: Edward Lewis <Ed.Lewis@neustar.biz>
- CC: yngve@opera.com, Gervase Markham <gerv@mozilla.org>, dnsop@ietf.org, ietf-http-wg@w3.org
Gervase, I'm going to piggy-back this on something Edward Lewis wrote: > ... > I doubt that you'll find any repository that can > be used to register "registry-like" zones. The > DNS lacks anything like a RADB, RPSL, etc., > mechanism employed by the routing infrastructure. > Partly because, unlike IP addresses, there is no > organizational link through all parts of the > Domain administrations. ICANN does not have it's > "thumbs" on all the TLDs - many ccTLDs do not > operate under any agreement with ICANN. > > I admire and respect the effort of web browser > implementers to try to improve their code to make > it harder to abuse. Even if the desired tactic > is on target, it may still fail because the > information is just not available. Worse is > broken security which will just frustrate the > users and make the situation even more fertile > for abuse (through uncertainty and confusion). > > The domain name industry is more complex than one > would think. It's not technical, it's a market > place with operators, wholesalers, resellers, > etc. I think the answers to building a domain's > reputation lie more in what happens at an ICANN > meeting than an IETF meeting. > > The model we had was that with a dsig in the payload, along with a DCP, the US FTC could pursue bad actors in the US, and these would be forced "off-shore". Iterate until bad actors are restricted to well-known jurisdictions and policy set-cookie operations accordingly. Now I was profoundly dumb in several dimensions -- I didn't anticipate that the FTC would be indifferent to consumer fraud, I didn't anticipate that "off-shore" (meaning outside of Reston and its environs) would grow so dramatically, I didn't anticipate that the "new entity" would become part of the problem, creating a privacy hostile and consumer fraud indifferent regime in one part of the namespace, and failing to provide a mechanism for policy coordination across the entire namespace, and I didn't anticipate that we'd be wiped out in 2000, or that privacy would be wiped out as a policy area in 2001. That said, it is my experience that leads me to differ with Ed. The IE 5.5 beta blocked all 3rd-party cookies, and Mozilla's market share then was much smaller than it is today, yet our prototype of the policy parse policy model (in your code) was sufficient to cause that vendor to change their policy for IE 5.5, and hence for the entire market. I'm not unconcerned by the problems of state consistency (list update), or bit-delivery with that state embedded in each bit-set, or the specifics of discovery across 300+ mostly indifferent actors, or the (imho) larger problem of associating policy to namespace delegation or heuristics, but in my experience, the sink for all the set-cookie requests can independently, and usefully, determine the value of cookies and namespaces. We didn't use the IETF last time, other than to float drafts, in part because the HTTP-WG was closed, and ICANN didn't exist. Yet we got cookies into the only available model at the time, pretty much to solve the same problem you're trying to solve, modulo all the dumbness I mentioned above. Eric
Received on Monday, 9 June 2008 18:56:06 UTC