Re: Fallback flow for /site-meta for top level domains

There is a bit too much emphasis put on the word 'authoritative' here.
There is so much that can be considered authoritative about an
unsigned document, even if served through HTTPS. Serving a document
over HTTPS just requires defacing a web site, something not that hard
to do considering the great variety of vulnerable server software out
there.

When we start talking about signing such documents, and where the
trust is coming from, then maybe the word authoritative will take a
real-world significance.
However, from what I have been hearing, the current proposal does not
plan for signing of site-meta, and the links pointed to by it will
have to carry implicit trust (maybe they will be signed documents, or
maybe they are just informative).

It is probably better to think of site-meta as a 'hint' of where to
find things. Which, come to think of it, in these days of readily
spoofable DNS resolution, it also the only level of assurance that DNS
provides. As Ben pointed out, DNS is happy to be authoritative over
pretty much anything and provide assurance about nothing.


On Wed, Dec 3, 2008 at 7:40 AM, Ben Laurie <benl@google.com> wrote:
>
> On Wed, Dec 3, 2008 at 12:58 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> On 03/12/2008, at 11:32 PM, Ben Laurie wrote:
>>> There are standards for XSS???
>>
>> There's a de facto standard in the browsers (same origin), and these folks
>> are working towards something more formal, maybe;
>>  http://www.w3.org/2006/WSC/
>
> Same origin policy isn't really all that much to do with cross-site
> scripting, surely?
>
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

Received on Wednesday, 3 December 2008 17:33:27 UTC