Yes, I thought about it more as the discussion progressed and I have persuaded myself of the same -- that the trust relationship between browser and webserver wouldn't need to exist.  Though I haven't had time to try to work through all the potential edge-cases.

I think many IT departments are struggling with how to deal with the problems introduced by poor browser security.  I have no doubt that given the choice between properly implemented browser security or dealing with the problems all in the IT infrastructure, they would rather trust the browser as it would be a far far cheaper solution.  Given that trust has been significantly eroded, I agree that the desire for more control over their own destiny is likely very prevalent right now.


Mark Nottingham <> wrote: 
On 09/01/2008, at 9:38 AM, Brad Porter wrote:

> In particular, moving to server-based access-control requires:
> a) browsers to provide verifiable REFERER, unique user, or other  
> equivalent identity information

I don't follow this. It requires data to be provided by the browser  
(Referer-Root in the current proposal), but it doesn't require it to  
be verifiable, any more than you require the client's application of  
the policy to be verifiable.

If anything, I'd imagine the server-side model to be more attractive  
to the corporate IT department, because it requires so much less of  
the browser (where so many security bugs have originated, and  
something entirely outside their ability to fix).

Mark Nottingham

Received on Friday, 11 January 2008 06:03:34 UTC