Internet-Draft | Explicit relationship between domains | November 2022 |
Madeleine | Expires 19 May 2023 | [Page] |
Good practices of domain handling are often overseen, making it difficult for users to know if a domain is legitimate, this proposal aims to create an easy, accessible way to verify relations between domains and by extension entities.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 May 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Domains are a common vector of attack, this is due in partly to the non comprehension of what a URL is, but also due to the lack of good domain handling.¶
Mastercard for example uses mastercard.com as a global entry, mastercardcontentexchange.com for newsroom, mastercardservices.com for services.¶
National Bank of Canada (one of Canada's biggest banks) uses bnc.ca, nbc.ca, banquenationale.com, bncd.ca, nbdb.ca, nbfwm.ca, fbngp.ca, bntmaretraite.com, nbfm.ca, bnmf.ca, assurances-bnc.ca, nbc-insurance.ca depending of the language and the offer.¶
Equifax uses equifaxbreachsettlement.com for the settlement of its data breach and that domain has been infamously squatted.¶
How can we legitimately hope that a normal user can tell apart a domain like bncd.ca and bnc.bank or spot a variation in a domain like equifaxbreachsettlement.com ? As it's nearly impossible to create a system that insures who owns what domains, and as hoping for correct domain handling is day dreaming. This draft will try to actually create explicit links between domains allowing browser vendors to give the user information that will help them defining if a domain is actually related to a trusted domain.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
To help tackle the domains relation in a way that is standard fair to small and big player and non government related, this draft proposes to use a new dedicated http header to establish the relation. This header will be set on both the claiming domain and the trusty domain. The new header MUST only be available on secured connections (https) to mitigate their alteration by an adverse party, they also MUST be non accessible/forbidden to javascript or fetch.¶
The header is of the following form¶
REL: RELATION; DOMAIN¶
Only one REL header with a claim relation should be present in a response, multiple REL headers with non claim relation can be sent with a response. Each REL header should define only one relation to a domain, subdomain or subdirectory. The claiming relation MUST use the claim relation, the trusty can use one of the defined relations:¶
All relationships MUST be direct if a transitive relation is found it should be ignored so A <---> B is OK but A <---> B <----> C will only expose the relation between A and B This will both avoid some circular relationships and mitigate the use of a compromised trusted intermediate to fake a relation.¶
The claim relation MUST be on a domain with no subdomain, the request will then be resolved to the main subdomain for the domain, this prevents the use of a delegated subdomain into a claim. For example www.badactor.test can not claim actor.supportplatform.test as it would imply a relation to supportplatform if that platform was allowing its users to add some headers on their pages¶
An owning relation can only be linked to a full domain, and therefore the domain definition MUST be of the type REL: own; https:*.DOMAIN.TLD so every subdomains, every subdirectory of DOMAIN.TLD should be considered as owned by the same entity as the domain exposing the relation.¶
rel: own; https://*.domain.tld | |
---|---|
URI | Valid |
https://www.domain.tld | TRUE |
https://domain.tld | TRUE |
https://sub.domain.tld | TRUE |
https://sub.domain.tld/dir | TRUE |
https://domain.tld/dir | TRUE |
https://sub.sub.domain.tld | TRUE |
A delegated relation can only be linked to a full domain or a subdomain, and therefore the domain definition MUST be one of¶
rel: delegate; https://sub.domain.tld | |
---|---|
URI | Valid |
https://www.domain.tld | FALSE |
https://domain.tld | FALSE |
https://sub.domain.tld | TRUE |
https://sub.domain.tld/dir | TRUE |
https://domain.tld/dir | FALSE |
https://sub.sub.domain.tld | FALSE |
rel: delegate; https://domain.tld | |
---|---|
URI | Valid |
https://www.domain.tld | FALSE |
https://domain.tld | TRUE |
https://sub.domain.tld | FALSE |
https://sub.domain.tld/dir | FALSE |
https://domain.tld/dir | TRUE |
https://sub.sub.domain.tld | FALSE |
An operated relation can only be linked to a domain a subdomain or subdirectory, and therefore the domain definition MUST be one of¶
rel: operate; https://sub.domain.tld/directory/subdirectory | |
---|---|
URI | Valid |
https://www.domain.tld | FALSE |
https://domain.tld | FALSE |
https://sub.domain.tld | FALSE |
https://sub.domain.tld/dir | FALSE |
https://domain.tld/dir | FALSE |
https://sub.sub.domain.tld/dir/subdir | FALSE |
https://domain.tld/dir/subdir | FALSE |
https://sub.domain.tld/dir/subdir | TRUE |
https://sub.domain.tld/dir/subdir/leaf.html | TRUE |
https://sub.domain.tld/dir/subdir/lastdir | TRUE |
The REL header MAY be cached for the duration of a session but SHOULD NOT be cached for a longer time, this will make sure the relation between the 2 domains is always relevant and allow for fast response in case of exploit on one of the domains. The revocation of a relation can be unilateral by any of the domains and is just a matter of not sending the header.¶
This memo includes no request to IANA.¶
This document should not affect the security of the Internet.¶
Thanks to all of the contributors.¶