RE: Accountability in AC4CSR

Jonas Sicking wrote:
> Sent: Thursday, February 07, 2008 11:59 AM
> To: Close, Tyler J.; WAF WG (public)
> Subject: Re: Accountability in AC4CSR
>
> > Is the user or the Referer-Root site accountable for a
> cross-domain non-GET request? Does the proposed protocol make
> it possible for the site hosting the resource to correctly
> determine the answer to that question?
>
> I think I have answered the accountability question in
>
> http://lists.w3.org/Archives/Public/public-appformats/2008Feb/
> 0076.html

where Jonas Sicking wrote:
> Ah, well, I'd say it's the Referer-Root site acting as an
> agent for the user.

But we don't know for sure that the Referer-Root site had anything to do with the request. The user could have sent the request on their own, and tried to frame the Referer-Root site for the deed. It's not just about whether or not the request is processed, but who is accountable for it being processed. In some of your arguments, you seem to have not thought beyond the point where the request is processed.

> So if you trust the Referer-Root site
> then you can hold the user accountable. But if you don't
> trust the Referer-Root site, such as if you've never heard
> of it, then you should hold the Referer-Root site accountable.

And in neither case will you know whether or not you're right. You're basically saying that the protocol provides no useful security properties between users and Referer-Root sites.

Policies based on the privacy of the user's password do not work for cross-domain requests. Yet, by sending the user cookies, the protocol leaves the impression that policies can continue working as they previously have.

--Tyler

Received on Thursday, 7 February 2008 21:00:38 UTC