If you’re LG, you own the software, you do cert pinning. Also, realize many (most? almost all?) are going to outsource the management of their vanity TLD to one of the existing companies in that market. Think of a brand that sells, I don’t know, shoes. Running a TLD is not part of their core business. It makes no sense to do this in-house. So now it’s a contractual agreement with some third party again anyway. You depend on their help desk, their security, and all of the other vendors that they outsource other bits to. Heck, even hugest of huge IT companies out source this stuff. .apple backend is outsourced to Afalias. On Sat, Jul 6, 2024 at 2:02 PM Bill Woodcock <woody@pch.net> wrote:
On Jul 6, 2024, at 22:41, Paul Ebersman <list-nanog2@dragon.net> wrote: I've been surprised that none of the folks that got TLDs seem to be leveraging the technical/security brand protection like they could.
A few are. A very few. SNCF. A few banks.
If I have an LG TV and it wants to update to <mumble>.LG and LG is DNSSEC signing the whole chain, that sure seems more likely to be legit than <mumble>.lg.tv or some such.
Ayup. Particularly if they don’t allow downgrade attacks to CA certs.
I think there are a few more brands looking to make this move to higher security in the new ngTLD round. At least everybody’s a lot more educated this time around.
-Bill