W3C home > Mailing lists > Public > public-web-security@w3.org > May 2015

Re: [W3C Web Security IG] Strews report - phase 2

From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 18 May 2015 13:57:16 -0400
Message-ID: <CAH8yC8mzNVrycnCbZZhm4_Vi3QQW2638rVk3+mSQ5RW6PGY6Xg@mail.gmail.com>
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, Rigo Wenning <rigo@w3.org>
On Mon, May 18, 2015 at 8:54 AM, GALINDO Virginie
<Virginie.Galindo@gemalto.com> wrote:
> Dear all,
> In case you missed it, the second report of STREWS has been delivered last
> week, focusing on the security web architecture (and tools to improve the
> web security).
> It is available here :
> http://www.strews.eu/images/StrewsWebSecurityArchitecture.pdf
> Any question, comment, should be directed to Rigo (CCed).

The treatment of DNS and the section on DNSSEC is very good. It makes
a lot of good points on why browsers are not using information from
DNS for things like CA (CAA Resource Records) and public key pinsets
(SSHFP-like resource records specifying pinsets).

The document seems to be missing a treatment of a subject, though. The
subject is the integrity and authenticity of the WHOIS information
used in Domain Validation.

On the surface, it appears the integrity and authenticity of the
database is accepted when performing domain validations, but later
rejected for things like additional resource records that could
provide context specific security information. But I'm probably
reading or parsing it incorrectly.

Received on Monday, 18 May 2015 17:57:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 18 May 2015 17:57:44 UTC