Maybe I'm missing something but you can't separate you're session and authentication with a different subdomain? Eg. My session on corp.paypal.com would be locked down to solely corp.paypal.com.

From a practical sense, what different does a subdomain and a dedicated domain offer if you're managing your certs correctly?

▲

SahAssar 10 hours ago | parent | next [-]

You can, but a lot of people lack the discipline to do so correctly. I'd prefer them to use corp.paypal.com, but as a security guy it's easier to just get them a separate domain and let them have their less-secured stuff completely isolated.

▲

c0balt 10 hours ago | parent | prev | next [-]

You can, but is difficult and prone to errors. Separate domains solve the root cause of the issue. The alternative is an entry on the public suffix list.

▲

notpushkin 7 hours ago | parent [-]

Which would not be easy to get, considering PayPal is not running a public suffix.

▲

asddubs 6 hours ago | parent [-]

you can request entries on it, the list is not just for TLDs

	▲	notpushkin 6 hours ago \| parent [-]
		Yes, but the list is for public suffixes, i.e. domains under which users can get their own subdomains.

▲

11 hours ago | parent | prev [-]

[deleted]