W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Thu, 10 May 2012 16:24:21 -0700
Message-ID: <4FAC4E25.9010006@KingsMountain.com>
To: W3C Web Security Interest Group <public-web-security@w3.org>
In reply to Adam's and Maciej's noting that there's issues with 
-domain-origin-assert with respect to "the web origin concept" (RFC6454)..

The use of the term "origin" for this notion -- i.e., asserting administrative 
realm domain name boundaries -- is obviously unfortunately confusing and a 
different term/name probably should be used.

That said, the intention of this (so-called at the moment) "BOUND" declaration 
would be as a data source for "effective TLD (eTLD)" aka "public suffix" 
information, which is presently used in a number of places where domain names 
are manipulated/compared in (notably) browsers (e.g. search firefox and/or 
chromium source for "effective_tld" or "eTLD").

A couple of particular examples of such use are in evaluating whether to allow 
a cookie to be set for a particular Domain attribute (RFC6265), and in 
examining asserted server certificate subject domain names (e.g., not accepting 
a cert for "*.com").

The only way it seems that such a mechanism (e.g. "BOUND" and/or eTLD data) 
would be involved in Web Origins would be in evaluation/comparison of a web 
origin's host (aka domain name) component -- and this appears to already be the 
case anyway.

HTH,

=JeffH
Received on Thursday, 10 May 2012 23:24:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 May 2012 23:24:51 GMT