W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: [DNSOP] Public Suffix List

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 11 Jun 2008 00:10:40 +1200
Message-ID: <484E6F40.6010805@qbik.com>
To: Gervase Markham <gerv@mozilla.org>
CC: Jamie Lokier <jamie@shareable.org>, dnsop@ietf.org, ietf-http-wg@w3.org


 From what I can tell:

a) the proposed problem is that of cookies being used across differently 
administered web sites.

b) the proposed solution involves mapping the boundary between privately 
and publicly administered DNS space.

I don't see how (b) addresses (a).  Web sites does not equal DNS.  
Private vs public DNS does not equal differently-administered websites. 

Furthermore keeping an accurate map of the DNS boundary is impossible.  
So to me it seems like the wrong tool for the job.

Given that this model has been chosen, in the knowledge that it's based 
on an assumption that the problem cases in (a) are addressed by (b), how 
well has that assumption been tested?  The boundary issues should be 
well known.  Several have been raised already on this list.  I'd be 
interested in seeing Mozilla's analysis of them.

My feeling is there will be a lot of false positives and negatives near 
the border, since the "solution" is in a different "space" to the 
problem.  Given the amount of work entailed in attempting to do (b), 
surely there's a responsibility to do this right?  I fear such a crude 
tool will not only cause problems for users, webmasters and TLD 
managers, but also leave ample room for people to circumvent its intent, 
leaving us worse off than we are now - still with cookies broken, still 
with privacy issues and XS issues, but now a major browser vendor 
causing DNS administrative havoc, and forcing people to rewrite their 
websites as well.  How to win friends and influence people.  And the 
justification for this is that it will.... Allow some "safe" cross-site 
cookies?  What happens when it doesn't do that?  Do people even care 
enough about that to live with this solution?

In a perfect world if this turns to custard, only Mozilla would suffer, 
but this isn't a perfect world, and actually I'm sure we'd all like 
Mozilla to live long and prosper.

In the end what will be the deciding factors?  I see users dumping FF3 
when it doesn't work with the websites they know and trust.  I see the 
reviews bemoaning compatibility issues.  Mozilla needs to be careful 
when introducing something like this that can create many compatibility 
issues where the previous version didn't have them.  In the end if some 
large jurisdictions refuse to play along, where does that leave 
Mozilla's users?  Looking for another browser perhaps..  Unless Mozilla 
feels it has too many users, I'd urge caution in that area.  As an 
absolute minimum a way to turn it off... even if it is buried deep in 
about:config (and you can't seriously expect us to believe that a 
required criterion for a setting being in there is that it can be 
understood by the majority of users).


Regards

Adrien



Gervase Markham wrote:
> Jamie Lokier wrote:
>   
>> The information would be published in the ISP's TLD-alike domain, not
>> the customer's subdomains.  E.g. 'co.uk', not 'mybank.co.uk', assuming
>> the information is "each domain $WORD.co.uk is independent".
>>
>> The values are the same information that you are gathering.  The
>> ISP/NIC (Nominet UK for .co.uk) does not need to contact their
>> customers for this: it's a .co.uk policy.
>>     
>
> OK. Then we are basically back to Yngve's suggestion. But this does
> require universal take-up for universal support - and that, as someone
> else has pointed out, makes it (in my opinion) doomed.
>
> Gerv
>
>   

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 10 June 2008 12:09:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:48 GMT