The Messaging, Malware, and Mobile Anti-Abuse Working Group, or M3AAWG, has released a blog post and white paper calling for the creation of an industry coalition to support the Public Suffix List (PSL). The PSL is an initiative under the Mozilla Foundation, and identifies the parts of the Internet domain name space under which organizations can register their own domains (think “.com” versus “example.com”). The PSL is a critical information resource used by all DMARC verifiers, and if it were to stop being updated the impact on email security could be enormous. The call to action from M3AAWG: We need some kind of industry coalition to permanently support the PSL.
DMARC is specified under RFC 7489, and a key concept in DMARC is the Organizational Domain. Section 3.2 describes how a public suffix list is used to determine the Organizational Domain, and Appendix A.6.1 specifically mentions the PSL because, frankly, it’s the only one widely and freely available. While use of the PSL may be deprecated in the next version of DMARC (this is still being finalized by the IETF DMARC Working Group), after it’s eventually finalized and published, it will be many years before most email installations using DMARC will deploy updated software. In other words, we’re going to be dependent on the PSL for a long time to come.
And the PSL is used for much more than DMARC. It was created to help browsers make decisions about which HTTP cookies a given website could create or read. Imagine if a bad actor could register a specially named new domain and read the authentication cookies in your browser that let you access your bank or social media accounts. Since then the PSL has found many other uses, one of the more critical being in determining when a request to issue a TLS certificate is too broad – with such a certificate, a bad actor could convince your browser that you’ve connected to your bank or social media site, when you have really connected to their scam site.
If you’re looking for a way to give back to the Internet community as a volunteer, the PSL would be an excellent project to support. The M3AAWG publications (blog, paper) praise the volunteers who have maintained the PSL (rightly so!), and also call for an industry coalition of some kind to provide permanent support and funding, so that Internet users can continue to browse and exchange email safely.