Canonical list of overly general domains?

Hans Granqvist hgranqvist at verisign.com
Mon Jan 8 22:02:57 UTC 2007


Daniel E. Renfer wrote:
> While I haven't been able to find a good list of domains that meet
> this requirement, what does everybody think of the idea that if you
> can't find a DNS entry for the domain part of the trust root then it's
> not a good candidate for a trust root.
> 
> Maybe it's just my DNS servers, but I'm not getting a response for
> things such as "com" or "co.uk"
> 
> any thoughts?
> 

The DNS lookup is interesting, but I feel a relying party
should white-list the sites it accepts and only accept those.

Any other "mechanical" trust relationships (such as generic blacklists)
are likely to be worth next to nothing, so the RP might as well
ignore checking for return address being in the trust root's set.

Hans



More information about the specs mailing list