DRPF Use Case

Related Domains

Even within a single company, multiple domains are often registered and operated by different divisions or departments than the administrator of the primary corporate domain. A subsidiary may even operate nearly autonomously such that a relying party may not be able to identify the relationship with any certainty.

Some of the domains are registered for brands or products to be used for specific services (e.g. https) and not others (e.g. email). Another vexing problem is when a company registers domains for specific purposes across a single product line rather than employing subdomain delegation. All of these issues compound the ability for relying parties to definitively know how domains are related and intended to be used.

Subsidiary / Brand / Cousin Domains

Companies often operate a variety of domains serving various purposes (e.g. as a subsidiary, promoting an individual product brand, or serving a specific purpose) which can make it difficult for a relying party to identify with any certainty that there's a relationship between a subsidiary or brand domain and their coporate administrative domain. There are, however, innumerable benefits to knowing when a domain is legitimately associated with a larger corporate organization.

Example: Consider that the primary corporate domain for General Mills is "generalmills.com", while many (though not all) of its breakfast cereal brands operates its own domain (e.g. "kixcereal.com", "cheerios.com"). Sharing a single corporate administration, the domains operate individual websites that typically link to common legal statements (e.g. terms of service, privacy policies, etc.) hosted at the corporate domain.

In other cases, subsidiaries or product-specific domains are registered only to direct to other domains or directly to pages hosted by the corporate domain. There are a number of ways a domain administrator can redirect some or all traffic to corporate sites (e.g. by serving a "HTTP/1.1 301 Moved Permanently" directive for web traffic), leaving the relying party to guess at the reasons for the relationship.

Example: Consider the medical device manufacturer Themo Fisher Scientific that operates the corporate domain "thermofisher.com". The product domains "invitrogen.com" and "dionex.com" redirect web traffic to deep links within the "www.thermofisher.com" website rather than operating independent websites for each brand... or perhaps the domains were part of an aquisition and a previous website at the domain was decommissioned.

In any case, without explicit information about the relationships and uses of the domains, relying parties are left to make their own inferences. It would be a lot more effective, accurate, and efficient if the domains explicitly published useful information that relying parties could... well... rely on.

Another vexing problem is when a company registers domains not as subsidiaries or in service to product brands, but for specific purposes across a single product line. These secondary domains are often termed "cousin domains" as they're related (in some undefined way) to a primary domain.

Example: Consider the primary user-facing customer domain for The Kroger Company (the parent of a handful of grocery stores) is "kroger.com", while "thekrogerco.com" acts as their corporate home, they delegate "krogerfeedback.com" to handle receipt surveys, and "krogersc.com" to operate their pharmacy accounts. Unfortunately, there is no way for a relying party to know with any certainty that they are legitimate domains related to The Kroger Company (and not malicious lookalike domains).

And we don't want you to think that we're only focused on domains used for websites. In fact, many of these related domains include MX records directing email to their delegated mail server, while others publish no MX record at all. And while some do, many do not, publish an SPF record indicating the domain may be used to send email from the authorized IPs on behalf of the domain (or explicitly announcing that the domain never sends email). Even within a single company's portfolio of related domains, its common to find domains that are spun up for one purpose (e.g. web) while not intended for another (e.g. email)... and it'd be useful for the domain administrator to announce their use to relying parties.

Declaring Domain Relationships

There are innumerable ways that domains can be related, though there are only a handful of top-level differences that most relying parties may find of use in making decisions when interacting with them. To support both the most common use cases as well as providing extensibility for domain administrators to provide detailed relationship information, the DRPF enables simple declarations within the assertion record, as well as more detailed relationships being defined within linked policy documents.

Simple Subordinate Domain Declaration

To support simple subordinate domain relationships, the subordinate domain can publish an Assertion Record declaring their relationship in terms of a dominant parent domain. The relationship would be one of a small set of defined declarations such as "childOf, "subsidiaryOf", or "brandOf" along with the related dominant domain. This type of Assertion Record, absent a direct link to a more detailed Policy Document indicates to a relying party that the subordinate domain is clearly under the administrative control of the dominant domain, and that the relying party can discovery / retrieve / parse the full set of DRFP policies from the dominant domain.

By way of example, a subordinate child domain that services a product brand (brand.domain) may publish a DNS TXT RR Assertion Record that looks something as simple as:

"domrel;brandOf:parent.domain;"

The relying party, upon discovering this Assertion Record, could then query the dominant parent domain "parent.domain" for its own Assertion Record in order to retrieve / parse / and confirm the relationship. While the referenced parent domain might explicitly declare the relationshiup in their own Assertion Record, it's more likely (and useful), for the "parent.domain" to include a link in their Assertion Record to a more detailed DRFP Policy Document such as::

"domrel;apex:parent.domain;policy:https://parent.domain/relationships.json"

Without going into too much detail about the structure, syntax, and semantics of the Policy Document, the JSON-LD snippet below illustrates useful information to confirm the relationship asserted by "brand.domain":

{
  "@context": [
    "https://domainrelationships.org/",
    {
      "schema": "https://schema.org/",
      "gr": "http://purl.org/goodrelations/v1#"
    }
  ],
  "@type": "schema:Organization",
  "schema:legalName": "Parent Company LLC Inc.",
  "isApex": true,
  "schema:url": "https://www.parent.domain",
  "hasChildRelation": [
    {
      "@type": "gr:brand",
      "relation": "isChild",
      "adminDomain": "parent.domain",
      "domain": "brand.domain",
      "gr:name": "Product Brand Name",
      "gr:description": "Product Brand Name is a product of Parent Company LLC Inc.",
      "status": "active"
    }
  ]
}

In the above snippet you'll see that it relies on the default "domainrelationships.org" ontology and references both the "Schema.org" and "Good Relations" ontologies. And while the snippet is slightly contrived (e.g. we could replace the Good Relations propoerties with equivelant ones from Schema.org), but it's worth illustrating the use of multiple ontologies within a single Policy Document. The ability to reference various fine-tuned ontologies unlocks nearly infinite extensibility. Just about any relationship can be defined either using the default DRPF ontology, or one that's specific to the applicable industry. For example, FIBO is an ontology specifically tuned to support the financial industry.

Regardless of the specific relationship being described, the following swimlane diagram illustrates the basic discovery exchange:

Sequence Diagram of Parent-Child Relationship - Inference Method

Policy Reference Method

This more direct method includes, in addition to declaring the Parent Domain, the Child Domain publishing an Assertion Record identifying the URL for the relevant Policy Document published by the Parent Domain. In this case, the Relying Party retrieves and parses the relevant Policy Document without having to first query the Parent Domain for the relevant Policy Document. While adding slightly more administrative burden to the Child Domain (i.e. requiring that the Assertion Record be updated if/when the relevant Policy Document location moves), it decreases the discovery burden of the Relying Party.

Using this method, the Child Domain publishes an Assertion Record that also includes a direct link to the relevant Policy Document such as:

"domrel;childOf:parent.domain;policy=https://parent.domain/relationships.json;status=active;"

The retrieved Policy Doument is identical to and would look the same as the one illustrated above. This method just simplifies the path to identifying and retrieving the relevant relationship policy with the discovery exchange simplified to something like:

The Relying Party may also perform a comparison between the declared domains and where the policies are retrieved as further signal confirming the relationship. If the referenced Policy Document(s) are hosted by different domains, it may be useful for the evaluating Relying Party to build (and cache according to the stated expiration directive) a relationship graph. But that's more sophisticated than is likely to be immediately useful and is left to be discussed in more detail elsewhere.