- From: L. David Baron <dbaron@dbaron.org>
- Date: Mon, 4 Feb 2008 14:46:46 -0800
- To: "WAF WG (public)" <public-appformats@w3.org>
On Monday 2008-02-04 13:32 -0800, Jon Ferraiolo wrote: > Access Control has a negative from a security perspective in that, if you > don't implement server-side policy management and leave it to the client, > then the data comes down the pipe only to be discarded by the client after > failing the Access Control check, but that means that malicious clients > (i.e., clients that pretend to implement Access Control properly but don't) > or man-in-the-middle software have access to the data. Therefore, if your > data isn't public, then I would recommend server-side PEP to the web > community. The basic rule in security is that the server should not blindly > trust the client, and the client should not blindly trust the server. Let's not forget what the security threat we're protecting against here. The threat that we're protecting against is the threat that a user has an already-privileged client (where the privileges may come from being behind a firewall, or from cookies, etc.), and a third party site (accessed by the same client) uses the privileges already granted to that client to gain access to protected resources (ones that the client already has access to). In that scenario, if the client is malicious, you've already lost. In that scenario, if you've got a man-in-the-middle attack between the server and the client, you've already lost. If you don't trust the client that you've *already* granted privileges to, you've already lost. I don't think those issues are relevant here. -David -- L. David Baron http://dbaron.org/ Mozilla Corporation http://www.mozilla.com/
Received on Monday, 4 February 2008 22:47:02 UTC