On Wed, 11 Feb 2009, Breno de Medeiros wrote: > > My only concern is that the requirement is construed as reasonably > sufficient for security (which is indeed the case of crossdomain.xml, > but not for many intended applications). The example Adam just gave, > i.e., server-to-server authentication metadata being subverted by > uploading a file, is the type of application that I believe should > ideally resist full compromise of the server (e.g., by using metadata > signed with offline keys). So I am not necessarily opposed to it, but > the language needs to make it clear that this strategy serves to > mitigate a very specific class of threats. Agreed. I don't think anyone is saying this is the be-all and end-all of security, only that it is one step of many needed to have defence in depth. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'Received on Thursday, 12 February 2009 01:51:10 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:38:52 GMT