W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

RE: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Tue, 24 Feb 2009 09:23:03 -0700
To: Ben Laurie <benl@google.com>, Adam Barth <w3c@adambarth.com>
CC: Mark Nottingham <mnot@mnot.net>, "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234127DD22FE0@P3PW5EX1MB01.EX1.SECURESERVER.NET>
It will, if extended to host-meta (it is currently discussed for XRD documents), but either way will not be part of the host-meta spec.

EHL

> -----Original Message-----
> From: Ben Laurie [mailto:benl@google.com]
> Sent: Tuesday, February 24, 2009 1:55 AM
> To: Adam Barth
> Cc: Mark Nottingham; Eran Hammer-Lahav; www-talk@w3.org
> Subject: Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-
> meta-01)
> 
> On Mon, Feb 23, 2009 at 5:32 PM, Adam Barth <w3c@adambarth.com> wrote:
> > On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <benl@google.com> wrote:
> >> I don't see why - if www.us.example.com chooses to delegate to
> >> www.hq.example.com, that that is its affair, not ours, surely?
> >
> > Following redirects is insecure for sites that let users configure
> redirects.
> >
> > Every time you trade away security like this, you make it more likely
> > that host-meta will be unusable for secure metadata.  If host-meta is
> > unsuitable for secure metadata, folks that require security will just
> > work around host-meta by creating a "secure-meta."  I can't tell you
> > which of the security compromises will cause this to happen.
>  Security
> > is often a "death of a thousand paper cuts" that eventually add up to
> > you being owned.
> 
> I thought signing was supposed to deal with the issues around
> redirects?
Received on Tuesday, 24 February 2009 16:23:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT