W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Simple approach for <access>

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 20 Apr 2009 11:29:26 +0200
To: Robin Berjon <robin@berjon.com>
Message-Id: <F056C13F-7CDE-47EB-82A9-656020D0D41B@w3.org>
Cc: public-webapps@w3.org
On 19 Apr 2009, at 16:24, Robin Berjon wrote:

> On Apr 16, 2009, at 17:23 , Thomas Roessler wrote:
>> 1. How is the information in this access element going to be used  
>> at installation time or distribution time?  I'd like to see some  
>> spec text that explains this.

> My understanding is that this is like the feature element and  
> others: it is metadata and its enforcement depends on a security  
> policy. When that security policy intervenes (I would expect at  
> runtime, for every access) is presumably orthogonal.

The security policy is likely to intervene at two different times:

1. Install time, when it might turn into a request to the user to  
grant the requisite privileges.

2. Run time, when it will at the very least be enforced.  (Or might  
cause user interactions...)

>> 2. If one of the risks we're interested in is firewall traversal,  
>> then then proposed domain name wildcard has a somewhat different  
>> risk profile than just a single domain name:  while you can do a  
>> DNS rebinding attack for a single hostname, that's a well-known  
>> issue, and hopefully worked around in today's browser engines.   
>> With the wildcard, though, it becomes relatively easy to do  
>> firewall traversal:  For example, one could simply generate DNS  
>> records n.n.n.n.example.com that point to the IP address n.n.n.n.

> I think that this is also meant to be orthogonal to firewalls, but  
> maybe I'm missing something?

Of course it's orthogonal to firewalls.  However, it's not orthogonal  
to looking at the side effects that the design here might have on  
deployments.

If a particular design for the <access/> element is likely to cause a  
larger attack surface, then that's a consideration that needs to go  
into the design of <access/>.  I'm claiming that the implicit  
subdomain model has that effect.
Received on Monday, 20 April 2009 09:29:37 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT