W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00)

From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 7 May 2012 16:30:34 -0700
Message-ID: <CABcZeBNT91BxbT=_OWYfqrYEsGTT7MgsjMLsg_rvoQb769N5bg@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>, Andrew Sullivan <ajs@anvilwalrusden.com>
On Sun, May 6, 2012 at 6:17 PM, Peter Saint-Andre <stpeter@stpeter.im> wrote:
> On 5/5/12 4:17 AM, Thomas Roessler wrote:
>> For your information:
>>       http://tools.ietf.org/html/draft-sullivan-domain-origin-assert-00
>>
>> This seems targeted at situations where different domain names want to assert that they're something like same-origin, and for use by security policies implemented in browsers.
>
> Hi Thomas,
>
> Having talked with Andrew and other folks quite a bit about this topic
> (most recently at IETF 83), I'd say that ultimately it is directed at
> finding a way to build a scalable approach to solving the same problem
> that is solved right now with the public suffix list.

I guess I don't see anything wrong with this, but I don't see how it
is going to be deployable, either. The sticking point is incremental
deployment In the medium (arguably long) term a large fraction
of browsers will not understand this mechanism (and an even
larger one will likely not do DNSSEC). So, that means that any
information published this way must also be replicated elsewhere,
or the site won't be usable for a large fraction of browsers, which
severely reduces the value of the mechanism for site operators.

-Ekr
Received on Monday, 7 May 2012 23:31:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 May 2012 23:31:45 GMT