W3C home > Mailing lists > Public > public-web-security@w3.org > May 2015

Re: [W3C Web Security IG] Strews report - phase 2

From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 18 May 2015 14:45:41 -0400
Message-ID: <CAH8yC8=TwOjS0NwE6qKPHD6-bcbn0bFoVV3DGSMgfQb+vJ8ZcA@mail.gmail.com>
To: ryan-w3-web-security@sleevi.com
Cc: "public-web-security@w3.org" <public-web-security@w3.org>, Rigo Wenning <rigo@w3.org>
On Mon, May 18, 2015 at 2:31 PM, Ryan Sleevi
<ryan-w3-web-security@sleevi.com> wrote:
> On Mon, May 18, 2015 11:23 am, Jeffrey Walton wrote:
>>  On Mon, May 18, 2015 at 2:22 PM, Ryan Sleevi
>> > I suspect you may have meant DANE (which is for clients).
>>  Actually, NO.
>>
>>  Its security specific context information. I'm happy to use any
>>  security specific context information I can get my hands on.
>>
> Then you'd be wrong for using CAA, as everyone who has worked with CAA can
> easily tell you, and you'd be causing problems and discouraging deployment
> of CAA, making (almost) everyone who has worked with CAA sad. :)

You really should read up on security diversification strategies.
Guttman has a very good treatment of the subject in his book,
Engineering Security
(https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf).

> So again, no, that's what not CAA is for. (Though this group isn't the
> best place to explain CAA or how it should work, it was enough to qualify
> precisely why CAA has no relevance of bearing for clients, lest someone
> think it does)

Thanks.

Jeff
Received on Monday, 18 May 2015 18:46:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 18 May 2015 18:46:09 UTC