Al Iverson wrote:
I have to strongly with Arvel here. I strongly reject any thought
along the lines of "we shouldn't pursue methodology X because somebody
can bypass it with similar cousin domains."
Addressing spoofing by way of cousin domains is necessary, but is a
whole separate discussion. It, like protection related to the
validation of legitimate domains, are both two small pieces of the
authentication and trust puzzle.
Suggesting "forget it, because they can still get away with a
lookalike domain" seems to me like saying "forget about locking the
door; we shouldn't bother, beause it's not the only way a bad guy can
Your last paragraph really gets at the core issue:
Is there a sufficiently useful degree of benefit to warrant the
(considerable) cost of development, deployment, and use?
Is the benefit long-term?
In the case of locking the door to one's house, it permanently keeps out
casual intruders and it establishes intent to secure the house. So someone
breaking down the door is clearly guilty of breaking and entering. These are
real, long-term benefits.
We have none of that clarity or even benefit, in the current case.
A cousin domain is sufficiently trivial to use so as to make the intended
protection against use of sub-domains meaningless. If the current mechanism
really did raise the bar, that would be one thing, but it doesn't.
If a reputation engine has an entry, for a name, it works. Locking subdomains
or cousin domains is entirely irrelevant to that.
So the question is what sort of mechanism is going to benefit from locking
sub-domains, but not cousin domains? How is the benefit meaningful?
NOTE WELL: This list operates according to