- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 18 Dec 2007 15:12:47 -0800
- To: "Doyle, Bill" <wdoyle@mitre.org>, "WAF WG (public)" <public-appformats@w3.org>
> On Tue, 18 Dec 2007 15:37:30 +0100, Doyle, Bill <wdoyle@mitre.org> > wrote: >> Not sure how the web server protects itself - "site should be > protected >> from any other requests until it grants access" > > ## Sorry I was not clear. The Web Server needs to be able to control > its IA boundary. In your description and reply the client provides the > protection. >> Issue is that the web server owner looses Information Assurance (IA) >> control, this is an issue for my customers. IA control cannot be > handed >> over to a 3rd party. For my customers, the web server owners need to >> manage the IA settings. > > Do you have a more concrete scenario that illustrates this? I'm not > sure I > follow. > > ## Draft notes that the client becomes the Policy Decision Point, the > IA boundary of the server is extended to include the client. Since we are trying to prevent the client from sending a dangerous request, there has to be some interaction with the client. I.e. we have to send some data to the client to indicate that the dangerous request should not be performed. Not sure how you could possibly avoid that? However, note that "don't send anything different from what you've been sending before" is considered such an indication. So effectively you are safe by default. / Jonas
Received on Tuesday, 18 December 2007 23:12:30 UTC