- From: Adrien de Croy <adrien@qbik.com>
- Date: Tue, 10 Jun 2008 03:23:23 +1200
- To: Frank Ellermann <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@gmail.com>
- CC: ietf-http-wg@w3.org, dnsop@lists.uoregon.edu
I agree. I'm really not fond of this idea. IMHO creating registries and heuristics like this will be about as effective as bayesian antispam. I see it creating a large administrative burden on many people, but never catching up with the current state. I see people relying on it for all manner of things for which it's not designed. Also you're dealing with organisations whose prime focus is not maintaining your list. You might get some initial enthusiasm to start, but down the track I see that waning. This is all being proposed to _enable_ cross-site cookies (as opposed to just blocking or warning the user).. why not make that aspect explicit? I can't see any other way to make it secure. Ignore DNS, make the cookies' realm explicit. As for privacy, if an issuer of a cookie prescribes the realms within which that cookie may be submitted, then privacy falls under the control of the cookie-issuing site. A compliant browser won't submit it outside those realms. And as for sites colluding... well there are other ways for sites to collude to learn things from each other without even involving the client. I think we have to accept that if sites really want to collude, they will find a way to do so. Frank Ellermann wrote: > Gervase Markham wrote: > > [NIC, WHOIS, and WWW] > >> Interesting, but I don't think it's relevant. What makes you >> think it is? >> > > I think that any concept of "globally reserved" SLD labels is > FUBAR. What could happen is that your list claims to list all > SLDs for a given TLD, forgetting NIC, WHOIS, or WWW. > > What TLDs do is their business, and it could be a can of worms > if the TLDs are redelegated later. It would be nice to know > the state of the art now for any given TLD, and TLD admins are > free to publish their policies in an RFC. Unfortunately most > don't, offering an official IANA registry where they can do it > might help, but it is tricky. > > They'd need to be aware that it will be near to impossible to > change some published practises even after a TLD redelegation. > > E.g., .co.uk is what it is today, any attempt to twist it into > an ordinary domain or wildcard could cause havoc, but it is > hard to find anybody in the position to say MUST NOT. If TLD > .uk itself says it, is that binding after a redelegation ? If > ICANN says it, do they have a MoU with ccTLD .uk covering it ? > AFAIK there is no BCP or standards track RFC to justify this. > > If your private list says it, what if they really change their > rules for some convoluted applications we are not yet aware of, > say NAPTR ? What if the DKIM WG invents a new .co.uk wildcard > for ADSP purposes ? BTW, they won't, but IMO your list cannot > guarantee that nobody else does it. > > That you forwarded your question to the HTTPbis list triggered > my sitefinder.verisign alert, HTTP is not the only user of DNS. > > >>> At the time when it was created I submitted a few obscure >>> cases like .e164.arpa to the SURBL suffix white list, >>> > > >> Where can I find a copy of this list? >> > > What I had in mind was <http://www.surbl.org/faq.html#cctlds> > with a link to <http://spamcheck.freeapp.net/two-level-tlds> - > IMHO the term "two level TLDs" is already too wrong to fix it. > > >> We are maintaining it for anyone and everyone to use. If IANA >> were interested in maintaining this information instead of us, >> that would be great. >> > > I think that IANA is not "interested" to create new registries, > they are "obliged" to do this under RFC 5226 and 2860 rules. :-) > > See <http://www.iab.org/documents/correspondence/index.html> with > http://www.iab.org/documents/correspondence/IANA-2006/IAB-IANA-Position.htm > http://www.iab.org/documents/correspondence/2008-02-15-midterm-view-icann-doc-jpa.html > > Frank > > > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Monday, 9 June 2008 15:22:28 UTC