W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Breno de Medeiros <breno@google.com>
Date: Tue, 24 Feb 2009 09:07:02 -0800
Message-ID: <29fb00360902240907u7f3d5f99k93c26b371f4ad0ee@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: Ben Laurie <benl@google.com>, Adam Barth <w3c@adambarth.com>, Mark Nottingham <mnot@mnot.net>, "www-talk@w3.org" <www-talk@w3.org>
Since XRD is maybe the first security-sensitive application to depend on
this proposed spec, I think it is appropriate that it work as a laboratory
for the signature-based approach.

On Tue, Feb 24, 2009 at 8:23 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:

> It will, if extended to host-meta (it is currently discussed for XRD
> documents), but either way will not be part of the host-meta spec.
>
> EHL
>
> > -----Original Message-----
> > From: Ben Laurie [mailto:benl@google.com]
> > Sent: Tuesday, February 24, 2009 1:55 AM
> > To: Adam Barth
> > Cc: Mark Nottingham; Eran Hammer-Lahav; www-talk@w3.org
> > Subject: Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-
> > meta-01)
> >
> > On Mon, Feb 23, 2009 at 5:32 PM, Adam Barth <w3c@adambarth.com> wrote:
> > > On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <benl@google.com> wrote:
> > >> I don't see why - if www.us.example.com chooses to delegate to
> > >> www.hq.example.com, that that is its affair, not ours, surely?
> > >
> > > Following redirects is insecure for sites that let users configure
> > redirects.
> > >
> > > Every time you trade away security like this, you make it more likely
> > > that host-meta will be unusable for secure metadata.  If host-meta is
> > > unsuitable for secure metadata, folks that require security will just
> > > work around host-meta by creating a "secure-meta."  I can't tell you
> > > which of the security compromises will cause this to happen.
> >  Security
> > > is often a "death of a thousand paper cuts" that eventually add up to
> > > you being owned.
> >
> > I thought signing was supposed to deal with the issues around
> > redirects?
>
>


-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
Received on Tuesday, 24 February 2009 17:07:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT