On Fri, Jun 13, 2014 at 5:10 PM, cowwoc <cowwoc@bbs.darktech.org> wrote: > On 13/06/2014 12:47 PM, Martin Thomson wrote: > >> On 13 June 2014 07:08, cowwoc <cowwoc@bbs.darktech.org> wrote: >> >>> I asked before but don't recall getting an answer: is the permission >>> scope >>> (for HTTPS) the same as the HTTPS certificate? Meaning, does it span >>> multiple domains if the certificate does? Or is it for a single domain? >>> Or >>> is it unspecified? >>> >> >> The grant is for the origin to which permission was granted. The >> details of the certificate do not matter at this level. >> >> If you have a wildcard for *.example.com, that doesn't allow you to >> have https://foo.example.com use persistent permissions for >> https://www.example.com. Nor would it allow >> https://www.example.com:9000 to use the same permissions. >> > > Okay. Are there any objections to granting permissions to a certificate > instead of to a single domain? Meaning, instead of granting permission to > google.com, I'd grant permission to Google the company and implicitly to > all domains and sub-domains covered by their certificate. > > From a trust point of view, if I don't trust Google I wouldn't grant > google.com permission and on the flip side if I trust google.com I don't > see a reason not to trust google.ca. > Yes, I object to this. The origin is the basic concept in security here, not the certificate and there are cases where distinct origins operated by different people share a certificate. -Ekr
Received on Saturday, 14 June 2014 05:04:57 UTC