W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 12 Feb 2009 01:50:33 +0000 (UTC)
To: Breno de Medeiros <breno@google.com>
Cc: Adam Barth <w3c@adambarth.com>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <Pine.LNX.4.62.0902120149590.952@hixie.dreamhostps.com>

On Wed, 11 Feb 2009, Breno de Medeiros wrote:
> 
> My only concern is that the requirement is construed as reasonably 
> sufficient for security (which is indeed the case of crossdomain.xml, 
> but not for many intended applications). The example Adam just gave, 
> i.e., server-to-server authentication metadata being subverted by 
> uploading a file, is the type of application that I believe should 
> ideally resist full compromise of the server (e.g., by using metadata 
> signed with offline keys). So I am not necessarily opposed to it, but 
> the language needs to make it clear that this strategy serves to 
> mitigate a very specific class of threats.

Agreed. I don't think anyone is saying this is the be-all and end-all of 
security, only that it is one step of many needed to have defence in 
depth.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 12 February 2009 01:51:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT