W3C home > Mailing lists > Public > www-talk@w3.org > November to December 2008

Re: Fallback flow for /site-meta for top level domains

From: Ben Laurie <benl@google.com>
Date: Wed, 3 Dec 2008 17:34:43 +0000
Message-ID: <1b587cab0812030934t255aecb7x3464f06b1776afee@mail.gmail.com>
To: Breno de Medeiros <breno@google.com>
Cc: Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>, Jonathan Rees <jar@creativecommons.org>

On Wed, Dec 3, 2008 at 5:32 PM, Breno de Medeiros <breno@google.com> wrote:
> There is a bit too much emphasis put on the word 'authoritative' here.
> There is so much that can be considered authoritative about an
> unsigned document, even if served through HTTPS. Serving a document
> over HTTPS just requires defacing a web site, something not that hard
> to do considering the great variety of vulnerable server software out
> there.
>
> When we start talking about signing such documents, and where the
> trust is coming from, then maybe the word authoritative will take a
> real-world significance.
> However, from what I have been hearing, the current proposal does not
> plan for signing of site-meta,

That seems a shame.

> and the links pointed to by it will
> have to carry implicit trust (maybe they will be signed documents, or
> maybe they are just informative).
>
> It is probably better to think of site-meta as a 'hint' of where to
> find things. Which, come to think of it, in these days of readily
> spoofable DNS resolution, it also the only level of assurance that DNS
> provides. As Ben pointed out, DNS is happy to be authoritative over
> pretty much anything and provide assurance about nothing.

To be fair, this is why DNSSEC exists.
Received on Wednesday, 3 December 2008 17:35:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:29 GMT