Re: Requiring Authenticated Origins for Geolocation API's: Open Call for Comments (deadline - February 1, 2015) from Chris Palmer on 2014-11-08 (public-geolocation@w3.org from November 2014)

From: Chris Palmer <palmer@google.com>
Date: Fri, 7 Nov 2014 17:18:24 -0800
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "Nilsson, Claes1" <Claes1.Nilsson@sonymobile.com>, Martin Thomson <martin.thomson@gmail.com>, Mounir Lamouri <mounir@lamouri.fr>, "public-geolocation@w3.org" <public-geolocation@w3.org>, Mike West <mkwst@google.com>
Message-ID: <CAOuvq2045E29r87CaUvGdCNvQXXb=ici5rvpZbgwECCBmABiAA@mail.gmail.com>

On Fri, Nov 7, 2014 at 2:02 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> It should be easy for anyone to get a certificate.
> Authenticated/secure origins is not about that. It's about protecting
> the end user against the network. The user will still have to decide
> whether to trust the domain name. (It's far from trivial for any evil
> guy to get a certificate for a domain of his choosing.

And we are working to make it more difficult, such as with Certificate
Transparency and key pinning.

Received on Saturday, 8 November 2014 01:18:51 UTC