On Fri, Jan 30, 2015 at 7:03 PM, Watson Ladd <[email protected]> wrote: > On Fri, Jan 30, 2015 at 6:35 PM, Matt Palmer <[email protected]> wrote: >> On Sat, Jan 31, 2015 at 02:01:45AM +0000, Jeremy Rowley wrote: >>> Yeah - good points. We definitely don't want to see a ?.com cert logged. >> >> Actually, I'd be quite happy to see a precert for ?.com logged. It would >> make it quite clear which CA is failing to play by the rules, which is, >> after all, rather the point of CT. > > Backing up quite a bit: It's clear from the examples that the level at > which you can safely truncate a domain and know that you are > identifying a unique organization is extremely difficult to determine. > I'm sure there is a list out there, but it may change. And when it > changes, old software may suddenly either accept too many certs, or > too few. > > I'm sure people have thought about this more than I have.
Take a look at http://www.publicsuffix.org/ It is a formatted list that attempts to document the split between shared (e.g. public) portions of a fully qualified domain name and the registered (private) portion. The new TLD rush is going to cause interesting issues, as there is a concept of a ".brand" where the whole TLD represents one organization. I think there is an argument these are not new (as .mil is effectively a .brand for the US Department of Defense), but I'm sure that they will be interesting from a processing perspective. ? anyone? _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
