W3C home > Mailing lists > Public > public-web-security@w3.org > May 2015

Re: [W3C Web Security IG] Strews report - phase 2

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 18 May 2015 21:14:28 +0200
To: noloader@gmail.com
Cc: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <2310277.xEmSQ39yO2@hegel>
On Monday 18 May 2015 13:57:16 Jeffrey Walton wrote:
> The document seems to be missing a treatment of a subject, though. The
> subject is the integrity and authenticity of the WHOIS information
> used in Domain Validation.

Hm, yes, this is definitely an interesting question. The quality of 
information in whois databases and the DNS system. But WHOIS was not on our 
radar for Web security. I think Whois would merit its own case study like the 
one we have done for WebRTC
http://www.strews.eu/images/webrtc.pdf
because of all the privacy implications and the connections to the identity 
management systems and social networking etc. 
> 
> On the surface, it appears the integrity and authenticity of the
> database is accepted when performing domain validations, but later
> rejected for things like additional resource records that could
> provide context specific security information. But I'm probably
> reading or parsing it incorrectly.

Interesting remark, can you specify a page where the authenticity of the 
database is accepted and then where later rejected? This sounds like an 
unintended contradiction. 

 --Rigo

Received on Monday, 18 May 2015 19:14:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 18 May 2015 19:14:57 UTC