On Mon, Feb 23, 2009 at 5:32 PM, Adam Barth <w3c@adambarth.com> wrote: > On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <benl@google.com> wrote: >> I don't see why - if www.us.example.com chooses to delegate to >> www.hq.example.com, that that is its affair, not ours, surely? > > Following redirects is insecure for sites that let users configure redirects. > > Every time you trade away security like this, you make it more likely > that host-meta will be unusable for secure metadata. If host-meta is > unsuitable for secure metadata, folks that require security will just > work around host-meta by creating a "secure-meta." I can't tell you > which of the security compromises will cause this to happen. Security > is often a "death of a thousand paper cuts" that eventually add up to > you being owned. I thought signing was supposed to deal with the issues around redirects?Received on Tuesday, 24 February 2009 09:55:13 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:38:52 GMT