[three possible solutions below, thus keep on reading ;) ]
Stephane Bortzmeyer wrote:
On Mon, Jun 09, 2008 at 04:53:01PM -0500,Ted Lemon <[EMAIL PROTECTED]> wrote a message of 16 lines which said:Why not just set up a list of TLDs in a mozilla.org subdomain, sign the subdomain with DNSSEC, put the DNSSEC public key into firefox, and have firefox consult the TLD list in the DNS, verified with DNSSEC, whenever information is needed?Your proposal solves *one* problem (the one well explained by Andrew Sullivan), the difficulty of having an up-to-date list in the installed browsers.It leaves open the other problems:
[..]And of course the problem of privacy. Asking a mozilla.org or whatever remote domain not associated with the primary domain allows all mozilla.org (or whatever RBL domain is used) to see at least the domains I am locally using. This of course becomes funnier with local domains that are only on the Intranet. (Same goes for Email RBL's of course and using google and other search engines, every bit of information you disclose is a loss for your privacy, it all depends on what you like or not like)
As such, if one really wants to have these "LISTS" then let the Domain Admins publish them, as they know best. it is there domain after all.
(I) Thus, as I mentioned before, look at the SPF crowd: publish a TXT or most likely even better another special record which indicates what domains are associated with it, or actually you will want to describe which domains are NOT associated with it under that sublevel.
eg: example.co.uk TXT "v=psl1 +example.co.uk -evil.example.co.uk-all" example.org TXT "v=psl1 +good.example.org -all"(II) Then again, as others mentioned this is after all a HTTP issue, thus having a special HTTP header which encodes the above is already much better.
(III) Having that list in the cookie is of course another solution which solves the problem where it should be solved... and my vote would indeed be for the latter: better restrictions on cookie domains.
Yes, that does not resolve it 'directly' globally. But clearly the people using cookies don't care about it at the moment, otherwise they would be complaining and fixing the problem. If this new cookie mechanism is available though and people are made aware of it, they for sure are going to use it if they think it solves a part of their security issues.
Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
