W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00)

From: Andrew Sullivan <ajs@anvilwalrusden.com>
Date: Mon, 7 May 2012 08:46:45 -0400
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
Message-ID: <20120507124636.GE8963@mail.yitter.info>
On Sun, May 06, 2012 at 07:17:43PM -0600, Peter Saint-Andre wrote:
> On 5/5/12 4:17 AM, Thomas Roessler wrote:
> > For your information:
> > 	http://tools.ietf.org/html/draft-sullivan-domain-origin-assert-00
> > 
> > This seems targeted at situations where different domain names want to assert that they're something like same-origin, and for use by security policies implemented in browsers.
> 
> Hi Thomas,
> 
> Having talked with Andrew and other folks quite a bit about this topic
> (most recently at IETF 83), I'd say that ultimately it is directed at
> finding a way to build a scalable approach to solving the same problem
> that is solved right now with the public suffix list.

Well, both, really.

In my opinion, the public suffix list has a number of problems, one of
which is that its categorization isn't quite right: what it's trying
to communicate is whether a given domain is a registration-centric
domain across organizational boundaries.  Such an assertion is the
flip side of the same-origin policy, and therefore I think the two
issues can be addressed in a complementary way using one mechanism.
At least, I hope so.

Thanks to Thomas, in any case, for forwarding the mention.  Any review
is appreciated.

Best,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com
Received on Wednesday, 9 May 2012 21:25:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 21:25:15 GMT