Re: [DNSOP] Public Suffix List

• From: Eric Brunner-Williams <ebw@abenaki.wabanaki.net>
• Date: Wed, 11 Jun 2008 13:55:02 -0700
• To: Florian Weimer <fw@deneb.enyo.de>
• CC: Gervase Markham <gerv@mozilla.org>, dnsop@ietf.org, Jamie Lokier <jamie@shareable.org>, David Conrad <drc@virtualized.org>, Jelte Jansen <jelte@NLnetLabs.nl>, ietf-http-wg@w3.org
• Message-ID: <48503BA6.6020209@abenaki.wabanaki.net>

Without speaking to the "evil" vs "not", see section 2.3.2.7 of the P3P 
Spec, in which we (over the lamentations of a certain unnamed vendor of 
deterministic consumer profiling data, now owned by a _major_ search 
engine service provider) required that linkages between cookies be 
disclosed in the cookie data collection policy.

I suspect the issue is disclosure, as there are market models which are 
based upon covert profiling using PII (information tending to identify 
uniquely an individual).

I'll update the draft Dan originally wrote (using PICS labels for the 
policy description language, for which I substituted a semantic subset 
with non-XML semantics and removed the digital signatures) and 
re-publish it an ID, with a note to the W3C's PLINK area people (the 
successors in interest to P3P). Its not the highest thing on my todo 
list, but as a namespace vendor there is some attraction in having a 
mechanism that allows better policing of cookies, independent of partial 
label matches.

As someone observed off-list, it doesn't have any apparent relationship 
to the problem and solution(s) suggested on the dnsop/http-wg lists, so 
I could be mistaken (again) about the necessity or sufficiency of 
policy+proof as payload for the http state management mechanism.

Eric


Florian Weimer wrote:
> * Gervase Markham:
>
>   
>> Say adserver.co.uk has contracts with mybank.co.uk, mygrocer.co.uk,
>> mypetstore.co.uk to supply them with ads. adserver.co.uk can set the
>> ad-tracking cookie for .co.uk and build up a cross-site profile of a
>> particular user, perhaps augmented by information passed to them by one
>> or more of the sites concerned. This is a privacy issue.
>>     
>
> I'd love to see an official statement from the Mozilla Foundation that
> cross-domain ad correlation is evil, and should be stopped by
> technology.  Certainly this is not what you're trying to say here.
>
> I guess the real issue is that by setting a cookie for co.uk, it's
> possible to exploit session fixation vulnerabilities in web sites under
> co.uk.  Unfortunately, the Public Suffix List web site is a bit unclear
> in this regard.  It does not list a single protocol spec which requires
> this sort of data.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>
>   

Received on Wednesday, 11 June 2008 20:57:10 UTC