Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00) from Gervase Markham on 2012-05-10 (public-web-security@w3.org from May 2012)

From: Gervase Markham <gerv@mozilla.org>
Date: Thu, 10 May 2012 16:08:16 +0100
To: Andrew Sullivan <ajs@anvilwalrusden.com>
CC: Eric Rescorla <ekr@rtfm.com>, Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
Message-ID: <4FABD9E0.7030504@mozilla.org>

On 10/05/12 14:40, Andrew Sullivan wrote:
> On Thu, May 10, 2012 at 11:08:16AM +0100, Gervase Markham wrote:
>> On 08/05/12 17:14, Andrew Sullivan wrote:
>>> For instance, the current list has a large number of entries of
>>> domains held by Dyn (my employer), but not a list of similar entries
>>> for at least some names offered by freedns.afraid.org.  We now know
>>> that ICANN has at least 1200 pending applications for TLDs, which
>>> they'll be awarding in batches starting some time in the next year;
>>> the policies under all of those will also need to be reflected in the
>>> publicsuffix list.  
>>
>> Not so; only if they offer non-flat registration, i.e. they implement
>> some sort of subdomain structure.
> 
> Adding only the one label itself is still reflecting those policies,
> no? 

Because of the backwardly-compatible way implementations are encouraged
to behave when they detect a suffix not present in the PSL, a PSL entry
like this:

// New ".suffix" domain
suffix

...is the same as no entry at all. A PSL entry is only required for
proper operation, in most contexts, (Chrome may disagree given the way
they use it for determining what's a domain and what's a search term) if
there is a more complicated sub-structure than that.

> Someone is going to have to look at all of them and make a
> decision. 

Yes; or the domain owners are going to have to tell us.

> I understand and appreciate the work that has gone into the
> publicsuffix list, and I think it was an important step in addressing
> some pretty serious problems.  But I don't see how it scales, given
> that it already has maintenance problems before the planned increase
> in the root zone size.

I am not arguing that the status quo is awesome :-) I am just pointing
out that the problem is not (quite) as bad as you suggest.

If the PSL were replaced by a worldwide agreement to encode the info in
the DNS, in a way which was harvestable to produce a legacy PSL and also
directly queryable, I think I might do a little dance of happiness.

Gerv

Received on Thursday, 10 May 2012 15:08:48 UTC