W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: widget example of CORS and UMP

From: Tyler Close <tyler.close@gmail.com>
Date: Fri, 14 May 2010 11:20:54 -0700
Message-ID: <AANLkTik3qHPvTJibTr7s-1zMov7cFBwgUhEtdOukIZaw@mail.gmail.com>
To: Dirk Pranke <dpranke@chromium.org>
Cc: Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
On Fri, May 14, 2010 at 11:00 AM, Dirk Pranke <dpranke@chromium.org> wrote:
> On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>> There are also more subtle risks to shared secrets. If you are creating your
>> secrets with a bad random number generator, then they will not in fact be
>> unguessable and you have a huge vulnerability. Even security experts can
>> make this mistake, here is an example that impacted a huge number of people:
>> <http://www.debian.org/security/2008/dsa-1571>.
>>
>
> Sure.

Is someone claiming that the CORS cookie solution does not require use
of a random number generator? What's in the cookie and where did it
come from?

Access to a good random number generator is a requirement for either
solution and so is not relevant to this discussion.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Friday, 14 May 2010 18:21:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT