W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Mon, 23 Feb 2009 13:04:34 -0700
To: Adam Barth <w3c@adambarth.com>
CC: Breno de Medeiros <breno@google.com>, Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <C5C84152.130D6%eran@hueniverse.com>

On 2/23/09 11:46 AM, "Adam Barth" <w3c@adambarth.com> wrote:

> Reality is not as binary as you imply.  There are a spectrum of threat
> models corresponding to different attacker abilities.

Exactly!

And I am already aware of one effort looking to add a trust layer to
host-meta. Your suggestion of competing solutions fails simple test. It is
easier to make the use of host-meta more restrictive (perhaps as you
suggested) than invent a completely new one.

Nothing in host-meta prevents you from implementing these restrictions
(content type, redirections). By itself, host-meta includes no sensitive
information or anything that can pose a threat. That will come from
applications using it as a facility, just like they use HTTP.

We view standards architecture in a very different way. I want to create
building blocks and only standardize where there is an overwhelming value in
posing restrictions.

EHL
Received on Monday, 23 February 2009 20:05:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT