W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Simple approach for <access>

From: Robin Berjon <robin@berjon.com>
Date: Sun, 19 Apr 2009 16:24:52 +0200
Cc: public-webapps@w3.org
Message-Id: <886A310C-2CE3-46B8-BAB0-A1AF5079A307@berjon.com>
To: Thomas Roessler <tlr@w3.org>
Hi Thomas,

On Apr 16, 2009, at 17:23 , Thomas Roessler wrote:
> 1. How is the information in this access element going to be used at  
> installation time or distribution time?  I'd like to see some spec  
> text that explains this.

My understanding is that this is like the feature element and others:  
it is metadata and its enforcement depends on a security policy. When  
that security policy intervenes (I would expect at runtime, for every  
access) is presumably orthogonal.

> 2. If one of the risks we're interested in is firewall traversal,  
> then then proposed domain name wildcard has a somewhat different  
> risk profile than just a single domain name:  while you can do a DNS  
> rebinding attack for a single hostname, that's a well-known issue,  
> and hopefully worked around in today's browser engines.  With the  
> wildcard, though, it becomes relatively easy to do firewall  
> traversal:  For example, one could simply generate DNS records  
> n.n.n.n.example.com that point to the IP address n.n.n.n.

I think that this is also meant to be orthogonal to firewalls, but  
maybe I'm missing something?

-- 
Robin Berjon - http://berjon.com/
     Feel like hiring me? Go to http://robineko.com/
Received on Sunday, 19 April 2009 14:25:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT