Re: [Bug 22214] How long do permissions persist?

On Fri, Jun 13, 2014 at 5:10 PM, cowwoc <cowwoc@bbs.darktech.org> wrote:

> On 13/06/2014 12:47 PM, Martin Thomson wrote:
>
>> On 13 June 2014 07:08, cowwoc <cowwoc@bbs.darktech.org> wrote:
>>
>>> I asked before but don't recall getting an answer: is the permission
>>> scope
>>> (for HTTPS) the same as the HTTPS certificate? Meaning, does it span
>>> multiple domains if the certificate does? Or is it for a single domain?
>>> Or
>>> is it unspecified?
>>>
>>
>> The grant is for the origin to which permission was granted.  The
>> details of the certificate do not matter at this level.
>>
>> If you have a wildcard for *.example.com, that doesn't allow you to
>> have https://foo.example.com use persistent permissions for
>> https://www.example.com.  Nor would it allow
>> https://www.example.com:9000 to use the same permissions.
>>
>
> Okay. Are there any objections to granting permissions to a certificate
> instead of to a single domain? Meaning, instead of granting permission to
> google.com, I'd grant permission to Google the company and implicitly to
> all domains and sub-domains covered by their certificate.
>
> From a trust point of view, if I don't trust Google I wouldn't grant
> google.com permission and on the flip side if I trust google.com I don't
> see a reason not to trust google.ca.
>

Yes, I object to this. The origin is the basic concept in security here,
not the certificate and there are cases where distinct origins operated
by different people share a certificate.

-Ekr

Received on Saturday, 14 June 2014 05:04:57 UTC