We’ve never claimed that the list was only bank names, or large shopping sites, or software sites.
Here’s our methodology to fill in the main part of our blacklist: We started with the Alexa top 1k domains. This was both too aggressive and not aggressive enough. There were a number of domains in that list that we didn’t consider high enough risk to prevent issuance.
Our security officers manually reviewed the list to trim the list, ending with less than 200 “names.” They’re from all categories - banks, shopping, software, online services, and more.
At the same time, we added the notion of “permute.” Specifically, there are a number of domains, like “google” or “hotmail,” where domain.TLD exists and is registered to the same entity in almost all TLDs. However, in smaller TLDs the domain.TLD may not have enough traffic to wind up in the Alexa top 1k. So we introduce the notion of “permuting” a domain: If we believe a domain to be in this category, we blacklist it in each TLD.
I think it’s the case that we’ve been over-inclusive about which domains get the “permute” treatment for the blacklist. I’ll talk with other folks on the team about doing another pass to see which domains really should get that treatment.