On Fri, Jul 12, 2013 at 11:02 AM, Paul Wouters <paul@xxxxxxxxx> wrote:
On Fri, 12 Jul 2013, Phillip Hallam-Baker wrote:
avoiding answering the implicit question about huge collateral damageI notice you are missing .oracle and .exchange and .mail. Is that
because you can't take any more slaps on the back or because you know
too many companies that have servers in their domain that would get
bypassed by your awesome magic three software vendors listed above?
No, I limited it to them only because those three companies can flood the market with software that makes the decision by force majeur. I don't think the domains you list have the market
power on the desktop to be a sufficient quorum.
when exchange.company.TLD and oracle.company.TLD start resolving to
company external IPs..... Even if just _one_ airline company would
fall into this trap, it would be millions of dollars of damage alone.
Paid for by vanity domains that make turning clearly visible domain names
into a confusion about what's a single word and what's a domain name.
Which in my view is an excellent argument for the IAB to issue an advisory warning that such domains are a terrible idea and that ICANN should not issue such domains under any circumstance.
Unfortunately the IAB is not going to give that advice. They seem to have passed on advising ICANN not to issue .corp which is going to be a total security meltdown. It's not 20 pieces of silver at stake here is a quarter million bucks or more a pop.
I think that there is actually very good reason to believe that the two domains you cite will not be a problem as Microsoft and Oracle both have very competent and aggressive legal departments and can be expected to rip ICANN apart legally limb from limb were they to be silly enough to issue them to any one else in flagrant violation of their longstanding trademarks.
But there are hundreds of other TLDs that are going to be causing a huge amount of damage and these are not going to be understood at first.
You think that users know and/or can set a default domain suffix?
That programmers twenty years ago knew and/or understood what that even meant (or you think no one runs 20 year old software?)
That everyone knows about suffix manipulation through their DHCP connections?
And VPN connections?
That is my point precisely. I think the domain search lists should be eliminated completely in the platform code because they are a little used feature with significant and non obvious security implications.
Apart from that, were you a proponent of the file extension and mime
type wars too? Because as soon as one company takes something like
.profitable as dotless, someone else will claim profitable:// and
all the browsers will just be giant pools of local policy causing
utter confusion and at best will yield a totally unpredictable
user experience for dotless domains. Don't expect a pat on the
shoulder from me in twenty years.
For what it is worth I have always considered using file extensions to specify the file type to be an unscalable hack. Mime types are a lot better.
Website: http://hallambaker.com/