- From: Rigo Wenning <rigo@w3.org>
- Date: Sun, 29 Jun 2014 13:44:13 +0200
- To: public-web-security@w3.org
- Cc: GALINDO Virginie <Virginie.Galindo@gemalto.com>
On Saturday 28 June 2014 05:36:24 GALINDO Virginie wrote: > Granting permissions to unauthenticated origins is, in the presence of > a network attacker, equivalent to granting the permissions to any > origin. The state of the internet is such that we must indeed assume > that a network attacker is present. The error here is that we assume the service/origin to be trustworthy and the attacker to be malicious. But in case of tracking, the authentication actually harms. So having more authentication isn't providing more security for the end user in general. In tracking, the service you're interacting with is the attacker. How does your model cope with this and how is it avoiding to switch from tracking to authenticated tracking? Now if we want to talk about origins and trustworthiness of code, how does your work relate to the Trusted Computing platform? Is it just basing itself on TLS or is it going further? Or is it just a list of partial URI-strings that will trigger better permissions? Have you thought about integrating provenance into the model? --Rigo
Received on Sunday, 29 June 2014 11:44:42 UTC