W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2006

[whatwg] "secure" attribute in Storage section of WA spec

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 26 Jun 2006 16:58:41 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0606261653480.4826@dhalsim.dreamhost.com>
On Mon, 26 Jun 2006, Gervase Markham wrote:
> > 
> > interface StorageItem {
> >            attribute boolean secure;
> >            attribute DOMString value;
> > };
> 
> I would like to suggest the the "secure" attribute be an integer rather
> than a boolean, initially with 0 meaning insecure, and 1 meaning secure.
> 
> So, for example, you could have StorageItems which were only returned if 
> the page on the site was secured with a new EV cert, and was not 
> accessible to pages which had an ordinary cert or no cert.

Is it ever possible to get an "ordinary cert" which claims to identify 
some domain, but which was not purchased by the owners of that domain? The 
only reason for the "secure" attribute is to avoid DNS spoofing; the flag 
has two values -- allow DNS to be spoofed and return the item whether or 
not the site was spoofed, and only return the item if the site's 
certificate matched the domain name of the site.

I'm happy to make it a tristate flag, but I'd want to better understand 
why that would make it more secure. If it would make it more secure, that 
would imply some pretty worrying things about TLS today.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 26 June 2006 09:58:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:28 UTC