The guidelines state that the PRIVATE section exists for "owners of privately-registered domains who themselves issue subdomains to mutually-untrusting parties."
The guidelines also state that "projects not serving more than thousands of users are quite likely to be declined."
These two criteria can create a circular dependency.
For a domain that architecturally functions as a registry — issuing independent subdomains to independent parties with full DNS control — many of the things that would generate "active usage" in the way reviewers measure it (hosted websites, TLS certificates, hosting platform integration) are themselves gated on PSL inclusion:
Hosting platform verification:
Services that consume the PSL to determine domain ownership boundaries (Vercel, Netlify, etc.) will treat all subdomains under a non-PSL-listed domain as belonging to a single entity. Only one user can verify ownership; all subsequent users are blocked.
Cookie isolation: Without PSL inclusion, any subdomain holder can set cookies readable by all other subdomain holders — a security issue that discourages legitimate use.
Certificate issuance: CA rate limits apply per registrable domain as determined by the PSL, constraining independent subdomain owners.
The result: reviewers look at CT logs or hosted sites to gauge usage, find very few, and decline. But the reason there are very few is precisely because the domain isn't on the PSL. The submitter is told to "encourage users to start using the submitted entry" — but users can't fully use it until it's listed.
So, how should the PSL evaluate PRIVATE section submissions where:
The domain architecturally meets the stated criteria (independent subdomains, mutually-untrusting parties, independent DNS control per subdomain), and
The low current web-hosting usage is a direct, demonstrable consequence of the domain not being on the PSL?
Is the architectural criterion sufficient, or is demonstrated active web hosting always required regardless of whether the PSL's absence is what's preventing it? If the latter, this should be made explicit in the guidelines, because the current text doesn't state it and the stated purpose of the PRIVATE section implies architectural eligibility.
For comparison
Many entries currently in the PRIVATE section were presumably added based on their architecture — that they issue subdomains to independent parties — not because reviewers first counted how many active websites existed under them.
Were herokuapp.com, pages.dev, vercel.app, netlify.app, azurewebsites.net, etc. all required to demonstrate thousands of actively hosted sites with TLS certificates before being listed?
If so, how did their users get hosting platform verification and proper cookie isolation before listing?
If those entries were added based on architectural merit and the operator's credible commitment to the service, that seems like the right model — and it's a model that would resolve the circular dependency for future submissions too.
What I'm asking for
I'm not asking for my specific PR to be reconsidered here. I'm asking for one of:
Acknowledgment that the circular dependency exists and guidance on how submitters in this situation should proceed (e.g., a minimum number of DNS-active subdomains rather than web-hosted sites, or architectural review as an alternative path), or
An explicit policy update stating that demonstrated web-hosting activity is a hard prerequisite regardless of architecture, so that future submitters with similar services know upfront that they need to solve the chicken-and-egg problem by other means before applying.
Either answer would be useful. The current state — where the guidelines describe an architectural criterion but PRs are evaluated on a usage criterion that the guidelines don't state and that PSL absence itself prevents meeting — is unclear and leads to frustrating circular conversations for both submitters and reviewers.
The guidelines state that the PRIVATE section exists for "owners of privately-registered domains who themselves issue subdomains to mutually-untrusting parties."
The guidelines also state that "projects not serving more than thousands of users are quite likely to be declined."
These two criteria can create a circular dependency.
For a domain that architecturally functions as a registry — issuing independent subdomains to independent parties with full DNS control — many of the things that would generate "active usage" in the way reviewers measure it (hosted websites, TLS certificates, hosting platform integration) are themselves gated on PSL inclusion:
Hosting platform verification:
Services that consume the PSL to determine domain ownership boundaries (Vercel, Netlify, etc.) will treat all subdomains under a non-PSL-listed domain as belonging to a single entity. Only one user can verify ownership; all subsequent users are blocked.
Cookie isolation: Without PSL inclusion, any subdomain holder can set cookies readable by all other subdomain holders — a security issue that discourages legitimate use.
Certificate issuance: CA rate limits apply per registrable domain as determined by the PSL, constraining independent subdomain owners.
The result: reviewers look at CT logs or hosted sites to gauge usage, find very few, and decline. But the reason there are very few is precisely because the domain isn't on the PSL. The submitter is told to "encourage users to start using the submitted entry" — but users can't fully use it until it's listed.
So, how should the PSL evaluate PRIVATE section submissions where:
The domain architecturally meets the stated criteria (independent subdomains, mutually-untrusting parties, independent DNS control per subdomain), and
The low current web-hosting usage is a direct, demonstrable consequence of the domain not being on the PSL?
Is the architectural criterion sufficient, or is demonstrated active web hosting always required regardless of whether the PSL's absence is what's preventing it? If the latter, this should be made explicit in the guidelines, because the current text doesn't state it and the stated purpose of the PRIVATE section implies architectural eligibility.
For comparison
Many entries currently in the PRIVATE section were presumably added based on their architecture — that they issue subdomains to independent parties — not because reviewers first counted how many active websites existed under them.
Were herokuapp.com, pages.dev, vercel.app, netlify.app, azurewebsites.net, etc. all required to demonstrate thousands of actively hosted sites with TLS certificates before being listed?
If so, how did their users get hosting platform verification and proper cookie isolation before listing?
If those entries were added based on architectural merit and the operator's credible commitment to the service, that seems like the right model — and it's a model that would resolve the circular dependency for future submissions too.
What I'm asking for
I'm not asking for my specific PR to be reconsidered here. I'm asking for one of:
Acknowledgment that the circular dependency exists and guidance on how submitters in this situation should proceed (e.g., a minimum number of DNS-active subdomains rather than web-hosted sites, or architectural review as an alternative path), or
An explicit policy update stating that demonstrated web-hosting activity is a hard prerequisite regardless of architecture, so that future submitters with similar services know upfront that they need to solve the chicken-and-egg problem by other means before applying.
Either answer would be useful. The current state — where the guidelines describe an architectural criterion but PRs are evaluated on a usage criterion that the guidelines don't state and that PSL absence itself prevents meeting — is unclear and leads to frustrating circular conversations for both submitters and reviewers.