I think it's particularly interesting that the US use .gov and not .gov.us (as a Brit). I'm sure there are oversights on who can acquire an inherently international .gov domain, but for example here in the UK .gov.uk domains have a strict application process [0] managed by central government.
It just seems to me that it would be more secure, and more reassuring to citizens and visitors that they are on the correct site it's under a cctld that's clearly affiliated to and managed by that government.
My guess is that it’s because the US built the thing, they decided .gov was to be for US Government sites. Then when other countries joined they got their own TLDs, which they added a .gov.<tld> to for their own purposes.
Right, I assumed it was the same principle by which UK, having issued the first postage stamps, is the only country that doesn't say the country name on the stamp.
For how many decades is this going to be a reasonable argument?
In 100 years, will it still be reasonable for the USA to say "we built the thing, so it is appropriate for us to continue to be the default country in domain names. The rest of you must use your ccTLDs, but we remain special."
In 200 years?
The only non-pathetic option is for the United States to transition to using its .us ccTLD for governmental and military domains in particular, with .edu and probably some others not far behind. The only question is how gradual the process is, and when it starts.
.com and .net and .org are only "internationally available" because the registrars didn't care to restrict them (IIRC, one of them was moderately restrictive in the beginning, perhaps .org requiring an actual organization of some sort).
The TLD .org was originally for non-profits, to distinguish them from the for-profit companies found over at the .com TLD. In the beginning, you had to prove nonprofit status to get a .org domain.
That’s no longer required, but still there was a big fight a few years ago when the .org registrar was set to be sold to a private equity firm. It’s the TLD of choice for nonprofits, as an echo of that early restriction.
.gov is managed by the US government in the exact way you describe. There is nothing "inherently international" about it. It isn't meant for anyone outside of US government agencies.
Let's be specific though: .gov is available for any government within these United States, whether it be federal, state, local municipality, territorial, or tribal government. In fact, all major cities I just spot-checked have .gov domains. I wonder how many are clinging to <city>.<state>.us? At least as a CNAME? ...none of those which I just spot-checked.
.com, .org and nearly all original TLDs are used internationally, though there are also local derivatives like co.uk. Even .edu used to be available internationally. I suppose most people have realized by now that .gov is strictly US, but it's not like that was obvious from the naming scheme alone.
> Why doesn't the United Kingdom have the name of the country on its stamps?
> Because the United Kingdom had the privilege of being the first country in the world to introduce postage stamps, meaning that they did not need to be identified as coming from that country, especially when used domestically.
I don't think thats clear at all. We have three people in this thread already confused on the issue.
I think the poster wasn't talking of the US government but of knowing which government a domain is related to by just looking at it. ".gov" is not clear while ".gov.uk" is clear due to the ccTLD.
> but isn't .gov "clearly affiliated to and managed by" the US government
> I'm sure there are oversights on who can acquire an inherently international .gov domain,
There's .INT if you have a use for one.
> turns out .gov is exclusively for the US, not sure I feel good about that, particularly as .com and .net are very much not just for the US.
This goes back to when the DNS was designed in the late 70s. Things were different back then (remember the big-endian british addresses, gb.corp.foo IIRC).
And I see you haven't learnt about .MIL yet either...
This got me thinking about cookie scope, and I have a feeling that domaina.tld. and domainb.tld. is always safer than domaina.gov.tl. and domainb.gov.tld.
I might be way off here, but I think that means either domain could set a gov.tld cookie which is sent to all domains, and if one of them is reading cookies without checking scope it could be a way to send whatever to another server. Or even worse, if one of the sites is using gov.uk cookies for something sensitive, then any of the others could read it.
Does anyone know if browsers have special cookie scope considerations for things like .gov.uk and .co.uk?
Browsers use the public suffix list to determine cookie scope. So .co.uk domains are just as isolated from each other as .com domains.
You can even get your own domains added to it, typically because you allow users to host their own content on a subdomain (like github.io for github pages).
Interestingly, .edu is mostly only for US universities, but there are a bunch of exceptions. Basically, there used to be several "generic TLDs"[1] in addition to the "country code TLDs" (of which ".su" for Soviet Union still exists), but they mostly got converted into sponsored TLDs.
the gov TLD is managed by the US government. It's very rare that you renew anything with ICANN, since you're almost always going at least to the entity that manages a TLD (unless you run a TLD, then I guess there'd be an ICANN fee).
If you have a .com domain, you're renewing with VeriSign, the company that owns the com TLD.
I'll pay for the domain if you find a way to buy a .gov as easily as you can buy a .com. I don't even think a regular citizen can get a .gov unless you incorporate a new city or something like that.
During the government shutdown some TLS certificates expired, so depending how long it goes a domain renewal could get missed because nobody is working or the check bounces.
I went through the process of registering a .gov domain recently and it definitely takes a couple of months. It requires a letter of intent, wet signatures from elected official(s) on official letterhead, a phone call to a publicly listed number of an elected official, 2FA enrollment for the management of DNS/WHOIS, and a period of time in between some of these steps for some behind-the-scenes verification to take place. Despite the many steps, I did find it relatively straightforward and appropriate given the exclusivity of the TLD. In fact, the most difficult part (that I'm still working through) is convincing management that we should make the full migration to the .gov now that we have it registered...
What type of organization are you operating where you'd need a .gov? Is this a government organization (like a local government or city hall)? Or is it possible for even random non-government related non-profits to have legitimate uses for .govs?
Edit: I was mostly commenting on this.
> In fact, the most difficult part is convincing management that we should make the full migration to the .gov
It sounds like the most difficult part of getting a .gov is having a legitimate government entity and having a purpose that needs one.
You must be an official government entity at a local, state, or federal level. This can include cities, counties, special districts, joint power authorities, state offices, etc.
I would hope that random "non-government related non-profits" aren't using .gov domains. Isn't the whole point of the domain that it's just for government entities?
Interesting related thing from India: the official TLDs as per the guidelines are .gov.in and .nic.in, and both are registered as a public suffix (legacy, from when the list was created).
However the government created a separate Section 8 company called Digital India corporation that runs a separate group of websites for Citizen Outreach called MyGov, which runs a separate subdomain for these: mygov.in. Unfortunately, they haven’t gotten around to registering it as a public suffix, so there are concerns around security (cookies are shared between completely separate sites). The public suffix list doesn’t accept contributions without authorisation anymore, so it’s unlikely to be fixed.
There’s also the interesting case of some government sites preferring .org.in to showcase independence from government interference- RBI, for eg (the central bank) runs at rbi.org.in.
This sounds like a decent idea until you realize that means one of two options:
- A US Government controlled CA root preinstalled on computers. Privacy advocates would be in arms.
- Constant untrusted CA warnings when trying to access any government site.
The pentagon takes approach 2. Most people never need to access a .mil anyways, but if you need to work with their office (I had a dealership leasing cars to them needing to use a web portal) then you have to install their cert bundle.
What exactly are you (or they) afraid of? NSA/FBI/CIA/DHS/etc impersonating other sites using the government CA?
Before Certificate Transparency, I'm pretty sure they already could do that relatively easily by forcing a private CA to make them a cert. (National Security Letters and all that fun)
Even now, with CT, I think they'd be more inclined to use a private or at least an "unofficial" CA, instead of basically leaving "your's truly, The Government" in the CT log. If you already know you'll leave a trace, why would you want to make that trace extra obvious?
GSA had that chance when they wrote the rules for all government services to use https. They didn’t even offer letsencrypt, much less build their own CA. The corporate CAs wanted their cut of more tax money.
.ca is open for registration by anyone, and people are used to seeing that TLD. Combine that with the bilingual super long domain names and every once in a while you’ll see a phishing scam like:
.gc.ca exists for that exact purpose. It has the advantage of being bilingual ("GC" expands to both "Government of Canada" and "Gouvernement du Canada", .gov.ca omits the "u" in the French word gouvernement).
I believe the canada.ca thing relates to the centralization of federal government IT under Shared Services Canada (SSC) in 2011. SSC is an attempt to make a "one stop shop" for government IT services, and Canada.ca is an extension of that philosophy to web presence.
As an aside, SSC is very controversial in the Canadian federal government. They have a reputation for glacially slow delivery of services and inflexibility in IT policies. The head of StatCan actually resigned in 2016 in protest as a result of problems with SSC [1]. They have gotten better since then but it's still rocky.
I completely forgot about gc.ca. I'm surprised they haven't kept with it! Didn't know about SCC, resigning over that is a pretty strong indicator of how the internals of the federal government's IT decision makers work haha.
> CIRA could set up a .gov.ca second level or something if they really wanted to keep the .ca
As has been noted elsewhere in the thread, Canada wouldn't be eligible to use bare .gov if they wanted to, because it's only for US government entities.
Readit News
It just seems to me that it would be more secure, and more reassuring to citizens and visitors that they are on the correct site it's under a cctld that's clearly affiliated to and managed by that government.
0: https://www.gov.uk/apply-for-and-manage-a-gov-uk-domain-name
--
Edit: turns out .gov is exclusively for the US, not sure I feel good about that, particularly as .com and .net are very much not just for the US.
The possibility of the US government creating a .gov specifically to confuse uses in a foreign country isn't ideal.
I get it, you invented the internet, but the special status you have over it is a little frustrating.
https://www.whitehouse.gov/wp-content/uploads/2023/02/M-23-1...
https://en.m.wikipedia.org/wiki/.gov (Which seems to make my guess right, .gov is operated by the US Government)
Dead Comment
For how many decades is this going to be a reasonable argument?
In 100 years, will it still be reasonable for the USA to say "we built the thing, so it is appropriate for us to continue to be the default country in domain names. The rest of you must use your ccTLDs, but we remain special."
In 200 years?
The only non-pathetic option is for the United States to transition to using its .us ccTLD for governmental and military domains in particular, with .edu and probably some others not far behind. The only question is how gradual the process is, and when it starts.
.mil is also US only.
The real hotness is to host on .arpa - https://blog.fhrnet.eu/2019/03/13/fun-with-arpa-domains/
That’s no longer required, but still there was a big fight a few years ago when the .org registrar was set to be sold to a private equity firm. It’s the TLD of choice for nonprofits, as an echo of that early restriction.
That's the same reason the US is +1 country code and holds .gov
[1] https://en.wikipedia.org/wiki/Postage_stamps_and_postal_hist...
https://en.wikipedia.org/wiki/ISBN & https://en.wikipedia.org/wiki/List_of_ISBN_registration_grou...
Plenty of exceptions abound, though: https://en.wikipedia.org/wiki/.gov#Use
Or .edu vs. .ac.uk; .mil vs. .mod.uk.
They got there first and just spread over TLDs before consigning other nations to fit under one I suppose.
> Why doesn't the United Kingdom have the name of the country on its stamps?
> Because the United Kingdom had the privilege of being the first country in the world to introduce postage stamps, meaning that they did not need to be identified as coming from that country, especially when used domestically.
Maybe this is my latent American nationalism showing, but isn't .gov "clearly affiliated to and managed by" the US government?
I think this bit was added as an edit or maybe I just missed it:
> an inherently international .gov domain
.gov is not inherently international for all the reasons in this subthread (and probably others as well)
I think the poster wasn't talking of the US government but of knowing which government a domain is related to by just looking at it. ".gov" is not clear while ".gov.uk" is clear due to the ccTLD.
> but isn't .gov "clearly affiliated to and managed by" the US government
I would say no. What makes it clear to you?
There's .INT if you have a use for one.
> turns out .gov is exclusively for the US, not sure I feel good about that, particularly as .com and .net are very much not just for the US.
This goes back to when the DNS was designed in the late 70s. Things were different back then (remember the big-endian british addresses, gb.corp.foo IIRC).
And I see you haven't learnt about .MIL yet either...
Deleted Comment
I get it, you invented the internet, but the special status you have over it is a little frustrating."
I bet America having +1 as our country code bothers you too :P
America numba 1! /S
[0]: https://en.wikipedia.org/wiki/Telephone_numbers_in_Canada
Even if it's not exactly ".gov" they still mimicked it.
america music intensifies
I might be way off here, but I think that means either domain could set a gov.tld cookie which is sent to all domains, and if one of them is reading cookies without checking scope it could be a way to send whatever to another server. Or even worse, if one of the sites is using gov.uk cookies for something sensitive, then any of the others could read it.
Does anyone know if browsers have special cookie scope considerations for things like .gov.uk and .co.uk?
You can even get your own domains added to it, typically because you allow users to host their own content on a subdomain (like github.io for github pages).
https://publicsuffix.org/
Deleted Comment
Deleted Comment
1. https://en.wikipedia.org/wiki/Generic_top-level_domain
Deleted Comment
What if a dept lets theirs lapse and some squatter swoops in and takes it?
We'll start the bidding at $1B USD...
If you have a .com domain, you're renewing with VeriSign, the company that owns the com TLD.
Edit: I was mostly commenting on this.
> In fact, the most difficult part is convincing management that we should make the full migration to the .gov
It sounds like the most difficult part of getting a .gov is having a legitimate government entity and having a purpose that needs one.
[0] https://get.gov/registration/requirements/#eligibility
Turns out it’s not a USDA campaign, but is associated with a CISA campaign to explain foreign influence operations focused on divisiveness.
CISA produced a quite good one pager: https://www.cisa.gov/sites/default/files/publications/19_100...
Sadly the domain is inactive, but they helpfully included an archive.org to show some of the additional content (how the CISA director executed a pineapple op on Twitter): https://web.archive.org/web/20190726194709/https:/twitter.co...
And for the record- pepperoni pineapple jalapeño pizza is delicious.
However the government created a separate Section 8 company called Digital India corporation that runs a separate group of websites for Citizen Outreach called MyGov, which runs a separate subdomain for these: mygov.in. Unfortunately, they haven’t gotten around to registering it as a public suffix, so there are concerns around security (cookies are shared between completely separate sites). The public suffix list doesn’t accept contributions without authorisation anymore, so it’s unlikely to be fixed.
There’s also the interesting case of some government sites preferring .org.in to showcase independence from government interference- RBI, for eg (the central bank) runs at rbi.org.in.
I wrote a few more findings when I created a list back in 2020: https://twitter.com/captn3m0/status/1301613472615030784
- A US Government controlled CA root preinstalled on computers. Privacy advocates would be in arms. - Constant untrusted CA warnings when trying to access any government site.
This is how dn42 does it: https://dn42.dev/services/Certificate-Authority.md
Do you really trust the turkish government with the ability to sign for any domain.
Some days I consider tearing out the whole thing and rebuilding with the 3 CA's I actually care about. but then I usually give up as too much hassle.
Before Certificate Transparency, I'm pretty sure they already could do that relatively easily by forcing a private CA to make them a cert. (National Security Letters and all that fun)
Even now, with CT, I think they'd be more inclined to use a private or at least an "unofficial" CA, instead of basically leaving "your's truly, The Government" in the CT log. If you already know you'll leave a trace, why would you want to make that trace extra obvious?
Deleted Comment
[1] https://ccadb.my.salesforce-sites.com/mozilla/IncludedCACert... [2] There seems to be a Mozilla applied constraint for .tr only
Because it was possible, maybe better now!
It’s at least consistant in looking like a phishing scam!
I believe the canada.ca thing relates to the centralization of federal government IT under Shared Services Canada (SSC) in 2011. SSC is an attempt to make a "one stop shop" for government IT services, and Canada.ca is an extension of that philosophy to web presence.
As an aside, SSC is very controversial in the Canadian federal government. They have a reputation for glacially slow delivery of services and inflexibility in IT policies. The head of StatCan actually resigned in 2016 in protest as a result of problems with SSC [1]. They have gotten better since then but it's still rocky.
[1] https://www.cbc.ca/news/politics/statistics-canada-interview...
As has been noted elsewhere in the thread, Canada wouldn't be eligible to use bare .gov if they wanted to, because it's only for US government entities.
Deleted Comment
[0]: https://github.com/GSA/govt-urls/blob/main/2_govt_urls_feder...
[0] https://www.house.mn
[1] https://www.senate.mn