[dns-operations] Monday rant againt the uses of the Public Suffix List

Vernon Schryver vjs at rhyolite.com
Tue Jan 22 00:23:46 UTC 2013

> From: =?ISO-8859-1?Q?Colm_MacC=E1rthaigh?= <colm at stdlib.net>

> > was about Google Apps instead of browsers.  Why would Google Apps
> > care about the PSL list?
> AppEngine, which depends on Google Apps accounts, supports wildcard
> sub-domains;
> https://developers.google.com/appengine/docs/domain#wildcard
> If Google allowed you to register *.com with Google apps, then your
> apps would be able to capture typos or latent traffic, where another

I understand as saying "bugs are bugs" and "there are no new bugs under
the sun, especially under the rubric of User Friendiness."

> For similar reasons, Certificate authorities take precautions when
> signing wildcard certificates, to ensure that the level of the domain
> being signed is appropriate. If a CA were to give Nominet a
> certificate for *.co.uk - that would be a problem. But giving me
> *.stdlib.net certificate is fine, even though it's the same number of
> dots.

Why should outsiders believe that www.sub.dom.stdlib.net belongs to
stdlib.net?  Why is stdlib.net more believable on *.stdlib.net than
Nominet on *.co.uk?  The right answer is that neither should be trusted.
Only things that are as close as possible to authenticated assertions
from www.sub.dom.stdlib.net and stdlib.net saying that the other is 
in the same administrative domain should trusted.  Without out such
assertions, the only course is to assume that they are independent.

That strangers are by definition untrusthworthy and that you must avoid
trusting what one set of strangers says about other strangers is why
using "security" in the same breath as "PKI" has long been a joke.
Talking about commercial CAs taking precautions when signing certs
hasn't been funny for more than 10 years.

The PSL make no more sense than the steaming piles of trusted CAs in
browsers.  It's the same old mistake of trusting what unnecessary,
self-appointed third parties say about various other third parties.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list