Re: comments on access control for cross-site requests - WSC member

> On Tue, 18 Dec 2007 15:37:30 +0100, Doyle, Bill <wdoyle@mitre.org>
> wrote:
>> Not sure how the web server protects itself - "site should be
> protected
>> from any other requests until it grants access"
> 
> ## Sorry I was not clear. The Web Server needs to be able to control
> its IA boundary. In your description and reply the client provides the
> protection.

>> Issue is that the web server owner looses Information Assurance (IA)
>> control, this is an issue for my customers. IA control cannot be
> handed
>> over to a 3rd party. For my customers, the web server owners need to
>> manage the IA settings.
> 
> Do you have a more concrete scenario that illustrates this? I'm not
> sure I  
> follow.
> 
> ## Draft notes that the client becomes the Policy Decision Point, the
> IA boundary of the server is extended to include the client.

Since we are trying to prevent the client from sending a dangerous 
request, there has to be some interaction with the client. I.e. we have 
to send some data to the client to indicate that the dangerous request 
should not be performed.

Not sure how you could possibly avoid that?

However, note that "don't send anything different from what you've been 
sending before" is considered such an indication. So effectively you are 
safe by default.

/ Jonas

Received on Tuesday, 18 December 2007 23:12:30 UTC