From nobody Thu May 14 13:54:22 2015 Return-Path: X-Original-To: dbound@ietfa.amsl.com Delivered-To: dbound@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55DD91ACD4C for ; Thu, 14 May 2015 13:54:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LgtfObREvzjj for ; Thu, 14 May 2015 13:54:18 -0700 (PDT) Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 888F81A8A10 for ; Thu, 14 May 2015 13:54:11 -0700 (PDT) Received: by wizk4 with SMTP id k4so257399306wiz.1 for ; Thu, 14 May 2015 13:54:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mO61v5DRkgIwfhLWno8G/OoQSWJSFSrP39IoG4fFtm8=; b=pAhs4UFD5hfsub+9WENvJoHkZr1TtNrrQ7PI+jOd3cVtO9j+MqmAcxZtXUY9JHSOtN gNdoacStLa7q9y8ohG+tWjBZlySTwrV1O+jaEbrcYQ7/nR5Bzmoy2XgFZ+5UDOoG62Cy Ws/IGHKDAm9BH/vB9U9ToOhT5NrQxt8moHS1coMK8edLW3uCDDby2Gn4bz98XAr8eb/P TGPB+wcejaiTOS488Jd0rIzXgZfRVw1176J0uEbAhdVR/tPFY030uV/d2yWcNyoM8OOk +W6O6cy3OmeIvlcNBY1xjSJCZC2Bh7tO6jdYhvNEM5mo2w7GVbaXGgrj1rGj9bwhnLmk nepg== MIME-Version: 1.0 X-Received: by 10.180.210.162 with SMTP id mv2mr27586693wic.59.1431636850335; Thu, 14 May 2015 13:54:10 -0700 (PDT) Received: by 10.27.170.134 with HTTP; Thu, 14 May 2015 13:54:10 -0700 (PDT) In-Reply-To: <55300ADD.4080001@qti.qualcomm.com> References: <55300ADD.4080001@qti.qualcomm.com> Date: Thu, 14 May 2015 13:54:10 -0700 Message-ID: From: "Murray S. Kucherawy" To: Pete Resnick , "Murray S. Kucherawy" Content-Type: multipart/alternative; boundary=001a11c37daee96570051610edb5 Archived-At: Cc: "dbound@ietf.org" Subject: Re: [dbound] Schedule and milestones X-BeenThere: dbound@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS tree bounds List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 May 2015 20:54:19 -0000 --001a11c37daee96570051610edb5 Content-Type: text/plain; charset=UTF-8 On Thu, Apr 16, 2015 at 12:17 PM, Pete Resnick wrote: > We're still plowing through the mailing list to come up with an issues > list from previous discussions, but wanted to get a "plan" on the table. > Here's what we've come up with, including due dates for each of the initial > milestones: > > * Stabilization of the problem statement (May 15, 2015) > * no intent to publish > * could move it to the Wiki > * Proposals for solutions (June 2, 2015) > * on-list discussion of drafts > * expect them to be Standards Track or Experimental; these are protocols > * Drafts for discussion at IETF 93 (July 6, 2015) > * Calls for Adoption of some documents at IETF 93 (July 24, 2015) > Given the dearth of responses to this, can we safely assume that what we have as the problem statement document is ready to stick to the wall as the official basis for our work going forward? -MSK --001a11c37daee96570051610edb5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Thu, Apr 16, 2015 at 12:17 PM, Pete Resnick <presnick@qti.qualcomm.com> wrote:
We're sti= ll plowing through the mailing list to come up with an issues list from pre= vious discussions, but wanted to get a "plan" on the table. Here&= #39;s what we've come up with, including due dates for each of the init= ial milestones:

* Stabilization of the problem statement (May 15, 2015)
=C2=A0 * no intent to publish
=C2=A0 * could move it to the Wiki
* Proposals for solutions (June 2, 2015)
=C2=A0 * on-list discussion of drafts
=C2=A0 * expect them to be Standards Track or Experimental; these are proto= cols
* Drafts for discussion at IETF 93 (July 6, 2015)
* Calls for Adoption of some documents at IETF 93 (July 24, 2015)

Given the dearth of responses to this, can we sa= fely assume that what we have as the problem statement document is ready to= stick to the wall as the official basis for our work going forward?
-MSK
--001a11c37daee96570051610edb5-- From nobody Fri May 15 01:40:26 2015 Return-Path: X-Original-To: dbound@ietfa.amsl.com Delivered-To: dbound@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 060D91B2EAE for ; Fri, 15 May 2015 01:40:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 010e9uHXDZ-B for ; Fri, 15 May 2015 01:40:21 -0700 (PDT) Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C02091B2DBE for ; Fri, 15 May 2015 01:40:21 -0700 (PDT) Received: by wgin8 with SMTP id n8so104981652wgi.0 for ; Fri, 15 May 2015 01:40:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=IbuHRxuxMlbAFZuNNMWMT9O09OzEG3hD7V5eWUgBex8=; b=Rx1Wn8zuhwLMTuFNl0DzB6GyMXZzji9C0A/L22by2tgZpI91A0MML4MFh3wUEWJNcY 6J4aAaWSyDe27nmNEUBg/e5Gk0cvQL2sr3OS5E+Rt8hEhNAeNBrK33MN0JodLM7qGHZq DSnFPTImOkn7aEYfka3Q8KiwQEFSZVB3vT5iZtuSYtST4lkTEYmHfiHxDBh1zdCtrv+r JonrtdlhQ48SbqM/jRwJkWyotW+Uyik+mGjzXpQeLjqOFBhZLX+m4omuUMiEiGUEIZ0z mxJgW8ERnVBGtPCAANL1EwmP8IDlfDbwgkLe/rjUHVPeUMp/jqeFRNV30AQ/4Ya3++Fv DkIQ== X-Gm-Message-State: ALoCoQmOD3XGkxFsA6uhV+5AQWbpdNfehSrmKlJffV/Hqs7XW9suBSL/QU5YWdjRUn67hFu8JqMJ X-Received: by 10.194.58.11 with SMTP id m11mr16395261wjq.92.1431679220211; Fri, 15 May 2015 01:40:20 -0700 (PDT) Received: from [192.168.0.103] (93.243.187.81.in-addr.arpa. [81.187.243.93]) by mx.google.com with ESMTPSA id qs2sm1373157wjc.31.2015.05.15.01.40.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 May 2015 01:40:19 -0700 (PDT) Message-ID: <5555B0F2.3030903@mozilla.org> Date: Fri, 15 May 2015 09:40:18 +0100 From: Gervase Markham User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: "Murray S. Kucherawy" , Pete Resnick References: <55300ADD.4080001@qti.qualcomm.com> In-Reply-To: OpenPGP: id=EEDEEFF962E97696DACBD2CCD9B347EA9DF43DBB Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: "dbound@ietf.org" Subject: Re: [dbound] Schedule and milestones X-BeenThere: dbound@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS tree bounds List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 May 2015 08:40:25 -0000 On 14/05/15 21:54, Murray S. Kucherawy wrote: > Given the dearth of responses to this, can we safely assume that what we > have as the problem statement document is ready to stick to the wall as > the official basis for our work going forward? Only one comment on the problem statement document: No-one calls them "effective TLDs" any more; that name remains only in the _historical_ name of the file, and I hope one day to eliminate even that: https://bugzilla.mozilla.org/show_bug.cgi?id=1155581 Fixing this is not a show-stopper. Gerv From nobody Wed May 20 07:47:35 2015 Return-Path: X-Original-To: dbound@ietfa.amsl.com Delivered-To: dbound@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BB7F1A87A9; Wed, 20 May 2015 07:47:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4hzuGut92Bv; Wed, 20 May 2015 07:47:25 -0700 (PDT) Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id BE6231A87B3; Wed, 20 May 2015 07:47:25 -0700 (PDT) Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id E2488F984; Wed, 20 May 2015 10:47:22 -0400 (EDT) Received: by fifthhorseman.net (Postfix, from userid 1000) id 7153F1FF8C; Wed, 20 May 2015 10:47:00 -0400 (EDT) From: Daniel Kahn Gillmor To: Tom Ritter , Suzanne Woolf , dnsop@ietf.org, IETF dbound WG In-Reply-To: <555C78B3.5080103@ritter.vg> References: <0CB7A66E-B6C9-4FE7-8452-172A5CF48895@gmail.com> <555C78B3.5080103@ritter.vg> User-Agent: Notmuch/0.20~rc1 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) Date: Wed, 20 May 2015 10:47:00 -0400 Message-ID: <87h9r7ux0b.fsf@alice.fifthhorseman.net> MIME-Version: 1.0 Content-Type: text/plain Archived-At: Subject: Re: [dbound] [DNSOP] followup and proposed actions: RFC 6761 interim and next steps X-BeenThere: dbound@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS tree bounds List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2015 14:47:31 -0000 [ not subscribed to dnsop, so this might not post to the list; please cc me on replies ] On Wed 2015-05-20 08:06:11 -0400, Tom Ritter wrote: > On 5/19/15 5:18 PM, Suzanne Woolf wrote: >> 4. It's been pointed out that the maintenance of the special use names >> registry is complicated by the fact that people used to be able to >> assume the root zone was relatively stable, and this assumption has >> become less defensible. (ICANN is not currently accepting new >> applications for TLDs, and has no announced schedule for opening an >> application window again, but has said they plan a future application >> round.) Is there something that the IETF should be doing to help DNS >> implementers and operators handle this change in the environment? > > Yes - and I've not been following the effort closely, but I believe it's > being done over in DBOUND in their work to replace the Public Suffix List. > > Because (AIUI) DBOUND is intended to specify security-relevant zone cuts > *in DNS* using it to specify names that are reserved in DNS but not _in_ > DNS might come out a little weird... but it seems like the most relevant > place to at least take the idea and discuss it. The above is a little hard to parse, but i think Tom is suggesting that dbound will not result in a "security-relevant zone cut" mechanism that is implemented in the DNS itself. i don't think that constraint is a given for DBOUND work at all (though i might be confused -- hopefully other dbounders can comment). I think the most likely way for DBOUND to be implemented is to introduce some sort of "organizational boundary goes here" DNS record, and the wrangling is going to be around what that record looks like and what its semantics will be. Regards, --dkg From nobody Fri May 29 08:03:26 2015 Return-Path: X-Original-To: dbound@ietfa.amsl.com Delivered-To: dbound@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 505C61A92B7 for ; Fri, 29 May 2015 08:03:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.552 X-Spam-Level: X-Spam-Status: No, score=0.552 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_MISMATCH_COM=0.553] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrqW4kwoGM_8 for ; Fri, 29 May 2015 08:03:24 -0700 (PDT) Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599A41AC3D1 for ; Fri, 29 May 2015 08:03:24 -0700 (PDT) Received: from [10.20.30.101] (142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t4TF3Nf1082851 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 29 May 2015 08:03:23 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-100.dsl.dynamic.fusionbroadband.com [142.254.17.100] claimed to be [10.20.30.101] From: Paul Hoffman Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: Date: Fri, 29 May 2015 08:03:25 -0700 To: dbound@ietf.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) X-Mailer: Apple Mail (2.2098) Archived-At: Subject: [dbound] Some work that will probably hit dbound sooner rather than later X-BeenThere: dbound@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS tree bounds List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2015 15:03:25 -0000 https://bugzilla.mozilla.org/show_bug.cgi?id=3D1169149 tl;dr: It is valid for CAs to write certificates for "*.tld" when the = TLD is controlled by one organization. Browser vendors want to know = which TLDs that is reasonable for, and which (such as "*.com") it is = not. --Paul Hoffman= From nobody Fri May 29 13:36:23 2015 Return-Path: X-Original-To: dbound@ietfa.amsl.com Delivered-To: dbound@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CC031A8709 for ; Fri, 29 May 2015 13:36:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV1S4A1Pkflk for ; Fri, 29 May 2015 13:36:18 -0700 (PDT) Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F8F31A8851 for ; Fri, 29 May 2015 13:36:14 -0700 (PDT) Received: by wizo1 with SMTP id o1so37759539wiz.1 for ; Fri, 29 May 2015 13:36:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=mPr50UpulzH+eZfgjOvs4DowS4csaQfjKVefKcNMgb8=; b=ZZ2pd8lkCcitovg3yxYlFl8oH+qwiJihvKGqGwJ41JjVpDFpspJTV2iCKPUkl8Z913 tvRN6QuEhhlDjShso5BPm8YQur/jv6QR7zgtk5dj+wNf7fjklw6Lh0h6WPkmWbnSGPkK eJb1zIzPNmqydta9GVqTHtllhq8YUtDOxRA6j1/icaJicR0p0n7gv42x3Puytwlexi8H NFVilEiQG/h6T+iC1yYTIU2qDSy8dMBHpm5PXJUNMLxvAgCnagUw5AiLg+efHlTnZoYu miY08jrtLg/YDVo4XHgjp036Vs2Qzhs9GnhahE2bC2cUDIC+TQMtjsumspmU/nKa6zpJ /fSA== X-Gm-Message-State: ALoCoQly9oPBkvVqUwzg8tH0fqgw3NHYddeSdmYbG6PmQH/SMBvIvAOPlN9mxzl1NZP76wodqITw X-Received: by 10.194.2.66 with SMTP id 2mr13117708wjs.21.1432931772708; Fri, 29 May 2015 13:36:12 -0700 (PDT) Received: from [192.168.0.110] (fpc2-shef11-2-0-cust7.17-1.static.cable.virginm.net. [94.173.170.136]) by mx.google.com with ESMTPSA id ez19sm4626683wid.19.2015.05.29.13.36.11 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 May 2015 13:36:11 -0700 (PDT) To: Paul Hoffman , dbound@ietf.org References: From: Gervase Markham Openpgp: id=EEDEEFF962E97696DACBD2CCD9B347EA9DF43DBB Message-ID: <5568CDBA.2000701@mozilla.org> Date: Fri, 29 May 2015 21:36:10 +0100 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dbound] Some work that will probably hit dbound sooner rather than later X-BeenThere: dbound@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS tree bounds List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2015 20:36:21 -0000 On 29/05/15 16:03, Paul Hoffman wrote: > tl;dr: It is valid for CAs to write certificates for "*.tld" when the > TLD is controlled by one organization. Browser vendors want to know > which TLDs that is reasonable for, and which (such as "*.com") it is > not. Browser software is not the right place to enforce this policy; CAs are. And the CAB Forum Baseline Requirements say exactly what should be said - i.e. don't issue such a cert unless the applicant can prove ownership of the entire domain space. Gerv From nobody Fri May 29 14:08:27 2015 Return-Path: X-Original-To: dbound@ietfa.amsl.com Delivered-To: dbound@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5980F1ACE92 for ; Fri, 29 May 2015 14:08:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.101 X-Spam-Level: X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id msb8_lCK7NaN for ; Fri, 29 May 2015 14:08:24 -0700 (PDT) Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8E2C1A88F4 for ; Fri, 29 May 2015 14:08:24 -0700 (PDT) Received: by igbpi8 with SMTP id pi8so23802228igb.1 for ; Fri, 29 May 2015 14:08:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=c5thFDwYgYlOk0N8TgjQlE7vIXkL+tQ+aZXqRj1jaLg=; b=A61BWy/YAVl12zXxU6P9i3QnQzQI3SjZ88ELRFSxubT1LYmTnvDtsWN+QySDJSK4SK djED9oj1STKRSGqfavWFgEdGVsOyVmsauZUJ4vL1uoKmW7A92zsyvFwTj5dAL13KXbG8 5fzQzq0kQi193Y/R5HxMTVKGun2jCdv0JxA3suJP6SliXixO/MvlspNDnajeCsQ64R68 hDtT1T8vNERFo1d+I4wZoUlYcxfjb3iWtYDYr93eEiKtSifWUmBzWbE8xtd6hvgnnafR sD7mko3ghrGuZDCKIXPSwOoZK1YN04WOsSbU9zieR7RL1jXV7hjn/lOC14ZZSsgQblyk jiYg== MIME-Version: 1.0 X-Received: by 10.50.61.229 with SMTP id t5mr6570547igr.34.1432933704056; Fri, 29 May 2015 14:08:24 -0700 (PDT) Received: by 10.36.77.15 with HTTP; Fri, 29 May 2015 14:08:24 -0700 (PDT) In-Reply-To: References: Date: Fri, 29 May 2015 17:08:24 -0400 Message-ID: From: Jeffrey Walton To: Paul Hoffman Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "dbound@ietf.org" Subject: Re: [dbound] Some work that will probably hit dbound sooner rather than later X-BeenThere: dbound@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: noloader@gmail.com List-Id: DNS tree bounds List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2015 21:08:26 -0000 On Fri, May 29, 2015 at 11:03 AM, Paul Hoffman wrote: > https://bugzilla.mozilla.org/show_bug.cgi?id=1169149 > > tl;dr: It is valid for CAs to write certificates for "*.tld" when the TLD is controlled by one organization. Yes. For example, *.google - its is owned by Google, and controlled by Google. (I don't have an example of owned by one party but control delegated to another party). The trick is determining the intersection of the vanity domain with ownership/control. I don't know how to solve that one, and I'm waiting for DBOUND to tell me what the best practice is. > Browser vendors want to know which TLDs that is reasonable for, and which (such as "*.com") it is not. This is a different problem. We know no one individual "owns" or "controls" *.COM, *.NET, etc. There's no reason to even entertain the possibility. The only time I have encountered them in the wild (twice now) is when I am under attack by Burp Suite, Charles Proxy, etc. Last summer, I even met a pen tester who used them in Burp for iOS because it made breaking the channel so easy :) By the way, the IETF appears to claim *.COM, *.NET etc is valid. I shake my head in disbelief every time someone tells me "but the IETF does not prohibit it...". Jeff From nobody Fri May 29 18:11:53 2015 Return-Path: X-Original-To: dbound@ietfa.amsl.com Delivered-To: dbound@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC6A1ACE64 for ; Fri, 29 May 2015 18:11:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.138 X-Spam-Level: ** X-Spam-Status: No, score=2.138 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_BR=0.955, HOST_EQ_BR=1.295, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nu6eKxMYslR9 for ; Fri, 29 May 2015 18:11:51 -0700 (PDT) Received: from mail.nic.br (mail.nic.br [IPv6:2001:12ff:0:4::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62BC31ACE5B for ; Fri, 29 May 2015 18:11:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.nic.br (Postfix) with ESMTP id B1C3A10C6EC; Fri, 29 May 2015 22:11:38 -0300 (BRT) X-Virus-Scanned: Debian amavisd-new at mail.nic.br Authentication-Results: mail.nic.br (amavisd-new); dkim=pass (1024-bit key) header.d=nic.br Received: from mail.nic.br ([127.0.0.1]) by localhost (mail.nic.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMXCIy3W6cYb; Fri, 29 May 2015 22:11:36 -0300 (BRT) Received: from [192.168.100.127] (unknown [201.73.225.50]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nic.br (Postfix) with ESMTPSA id 1ECAC10C8F8; Fri, 29 May 2015 22:11:35 -0300 (BRT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.br; s=dkim; t=1432948296; bh=RbBpYyI8cZU+UIbxYoGM8h6ozrlcWs4HINP9cXIYW44=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=TRKbImbbZyKnMwC6mOog5O1rDt+M/mJiJhLrj2lAt6+Xbbp5cS3Y2l9B589jNVtl8 71J8E1vdLplwk2QpGkt/w0v3z3xXSQwi0OO9eJN7gdGyNHNoPDnpkLUVZxbgYTTaMe CwZcBRizJWj3Jxzs2osiJCuLlsvDpu1+M7RLTiRo= Content-Type: multipart/alternative; boundary="Apple-Mail=_A78CD610-BECA-432B-B9D0-D958AE7AD407" Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) From: Rubens Kuhl In-Reply-To: Date: Fri, 29 May 2015 22:11:32 -0300 Message-Id: <646AF956-E553-4900-B913-83CAC72F7921@nic.br> References: To: Paul Hoffman X-Mailer: Apple Mail (2.2098) DMARC-Filter: OpenDMARC Filter v1.3.1 mail.nic.br 1ECAC10C8F8 Archived-At: Cc: dbound@ietf.org Subject: Re: [dbound] Some work that will probably hit dbound sooner rather than later X-BeenThere: dbound@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS tree bounds List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 May 2015 01:11:52 -0000 --Apple-Mail=_A78CD610-BECA-432B-B9D0-D958AE7AD407 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On May 29, 2015, at 12:03 PM, Paul Hoffman = wrote: >=20 > https://bugzilla.mozilla.org/show_bug.cgi?id=3D1169149 >=20 > tl;dr: It is valid for CAs to write certificates for "*.tld" when the = TLD is controlled by one organization. Browser vendors want to know = which TLDs that is reasonable for, and which (such as "*.com") it is = not. >=20 > --Paul Hoffman >=20 My take is that exclusive use registries qualify for *.tld certificates = while usual ones or Spec 13 ones do not.=20 I will provide some examples. This one, .globo, would qualify for *.globo: https://www.icann.org/resources/agreement/globo-2013-12-19-en = This one, .barclays, wouldn't for *.barclays: https://www.icann.org/resources/agreement/barclays-2014-11-20-en = The difference is that the first only allows for its own organisation to = use its TLD, while the other allows for other organisations that are = brand-licensees to register domains.=20 The algorithm would be: Has no exemption to code of conduct -> Can't have wildcard Has exemption but allows for carving for licensees -> Can't have = wildcard Has exemption but doesn't allow anyone else to use -> Can have wildcard Rubens --Apple-Mail=_A78CD610-BECA-432B-B9D0-D958AE7AD407 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
On May 29, 2015, at 12:03 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

https://bugzilla.mozilla.org/show_bug.cgi?id=3D1169149

tl;dr: It is valid for CAs to write = certificates for "*.tld" when the TLD is controlled by one organization. = Browser vendors want to know which TLDs that is reasonable for, and = which (such as "*.com") it is not.

--Paul = Hoffman


My take is that exclusive use registries qualify = for *.tld certificates while usual ones or Spec 13 ones do = not. 

I will provide some = examples.

This one, .globo, would = qualify for *.globo:


The difference is that the = first only allows for its own organisation to use its TLD, while the = other allows for other organisations that are brand-licensees to = register domains. 

The = algorithm would be:
Has no exemption to code of conduct -> = Can't have wildcard
Has exemption but allows for carving for = licensees -> Can't have wildcard
Has exemption but doesn't = allow anyone else to use -> Can have wildcard


Rubens









= --Apple-Mail=_A78CD610-BECA-432B-B9D0-D958AE7AD407--