Re: [DNSOP] Public Suffix List from Jeroen Massar on 2008-06-09 (ietf-http-wg@w3.org from April to June 2008)

From: Jeroen Massar <jeroen@unfix.org>
Date: Mon, 09 Jun 2008 11:34:39 +0000
To: Gervase Markham <gerv@mozilla.org>
Cc: ietf-http-wg@w3.org, dnsop@ietf.org
Message-ID: <484D1533.4060300@spaghetti.zurich.ibm.com>

[Why not go DNSSEC first instead of solving a problem which is not a 
real problem? See below... ]

Gervase Markham wrote:
[..]
 > The technology in question, including a version of the list, is about
 > to ship in Firefox 3, but we'd like to verify and improve the quality
 > of the underlying data.

You are *hard-coding* such a list into a 'product'? You do realize that 
a lot of people simply don't update their software I hope. Unfortunately 
for the OS's that need updating the most those people don't tend to update.

Hard-coding can be fine for most TLD's which are quite static in setup 
and might not ever change, but what about everybody else?

You might want to consider using at least an RBL-style way for this.
Though, you will of course hit off on all the privacy folks when you are 
doing another DNS query for www.spooks.gov.rbl.mozilla.org every hit and 
collecting all that information. Guess that quite a few companies would 
also become quite jealous of those kind of data collecting techniques, 
just like the current "domain protection" stuff that exists in FF which 
allows collection of that kind of information.

[..]
> We are maintaining a list of all "Public Suffixes". A Public Suffix is a
> domain label under which internet users can directly register domains.
> Examples of Public Suffixes are ".net", ".org.uk" and ".pvt.k12.ca.us".

How can non-TLD's get into this list!? Eg www.google.com is quite 
different from evilsite.google.com which is not under the same 
administrative control as the first. Of course it is not the smartest 
way of setting up a trusted site, but it happens a lot, eg to save on 
costs for SSL certificates one customer gets cust1.ssl.example.org and 
the next cust2.ssl.example.org, they are not the same and might both be 
evil. Not even going into warring departments or even rival countries 
being put under the same DNS label (tw.example.org, cn.example.org ;)

If you are going to push this 'technology', you might want to consider 
doing an SPF-alike test, thus getting that information from the provider 
of the label, or better: fix the cookie standards.

The latter could be achieved, amongst others, by having the cookie 
include only exactly the domains/sites for which that cookie is valid.
And of course not allowing wild-card cookies anymore...

And another much better step which I think the rest of this group (as of 
course this message is just and only my personal opinion and not that of 
the group in anyway... that is how the IETF works afterall ;) would 
actually also like is the use of DNSSEC. Which actually tells you that 
the domain you are looking at is really the domain you are requesting 
records from. Who cares about the cookie domain if bank.com is actually 
evilbank.com. (of course again not even going to the b4nk.com example 
and all others).

Lastly; DNS does not establish that you are talking to the domain you 
think you are talking to, it only makes it look like that.

Greets,
  Jeroen

Received on Monday, 9 June 2008 16:53:24 UTC