W3C home > Mailing lists > Public > www-tag@w3.org > December 2009

Re: ACTION-278 Hiding metadata for security reasons

From: Jonathan Rees <jar@creativecommons.org>
Date: Tue, 29 Dec 2009 20:14:01 -0500
Message-ID: <760bcb2a0912291714o73526232r4c1291e0c0c91674@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: www-tag@w3.org, "Mark S. Miller" <erights@google.com>
One thing puzzled me: The only really secure solution (against DNS
attacks, MITM, and so on) is to put the unguessable part in the
fragid. This would point directly at the webkeys approach. The google
calendar case is something like

http://www.google.com/calendar/hosted/creativecommons.org/embed?src=jonathan.rees%40gmail.com&ctz=America/New_York&pvttk=ebbb36156aaf108300c96ad196573f5d

(The bits have been changed to protect the innocent.) Note (1) http
not https, (2) unguessable portion before #, not after #.

Do we endorse this kind of thing, tolerate it, or advise against it?
Are any private URIs other than web-keys OK? I guess I was trying to
hedge, which in retrospect was a bad idea.

Jonathan
Received on Wednesday, 30 December 2009 01:14:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:18 GMT