Re: [Bug 22214] How long do permissions persist? from cowwoc on 2014-06-15 (public-media-capture@w3.org from June 2014)

From: cowwoc <cowwoc@bbs.darktech.org>
Date: Sun, 15 Jun 2014 18:23:09 -0400
To: Eric Rescorla <ekr@rtfm.com>
CC: Martin Thomson <martin.thomson@gmail.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <539E1CCD.7080007@bbs.darktech.org>

On 14/06/2014 1:03 AM, Eric Rescorla wrote:
> On Fri, Jun 13, 2014 at 5:10 PM, cowwoc <cowwoc@bbs.darktech.org 
> <mailto:cowwoc@bbs.darktech.org>> wrote:
>
>     On 13/06/2014 12:47 PM, Martin Thomson wrote:
>
>         On 13 June 2014 07:08, cowwoc <cowwoc@bbs.darktech.org
>         <mailto:cowwoc@bbs.darktech.org>> wrote:
>
>             I asked before but don't recall getting an answer: is the
>             permission scope
>             (for HTTPS) the same as the HTTPS certificate? Meaning,
>             does it span
>             multiple domains if the certificate does? Or is it for a
>             single domain? Or
>             is it unspecified?
>
>
>         The grant is for the origin to which permission was granted.  The
>         details of the certificate do not matter at this level.
>
>         If you have a wildcard for *.example.com <http://example.com>,
>         that doesn't allow you to
>         have https://foo.example.com use persistent permissions for
>         https://www.example.com.  Nor would it allow
>         https://www.example.com:9000 to use the same permissions.
>
>
>     Okay. Are there any objections to granting permissions to a
>     certificate instead of to a single domain? Meaning, instead of
>     granting permission to google.com <http://google.com>, I'd grant
>     permission to Google the company and implicitly to all domains and
>     sub-domains covered by their certificate.
>
>     From a trust point of view, if I don't trust Google I wouldn't
>     grant google.com <http://google.com> permission and on the flip
>     side if I trust google.com <http://google.com> I don't see a
>     reason not to trust google.ca <http://google.ca>.
>
>
> Yes, I object to this. The origin is the basic concept in security here,
> not the certificate and there are cases where distinct origins operated
> by different people share a certificate.
>
> -Ekr

I almost agree with you (given that same-origin policy is widespread) 
but still:

You are asking me to trust a certificate in order to grant permission to 
an origin. If someone hijacks the certificate, isn't it trivial to 
circumvent the same-origin policy? Meaning, what is the practical 
benefit of trusting origin A but not B if both are operating under the 
trust of certificate C? True, origin B could become malicious 
independently of origin A, but the opposite could be just a likely.

Is a user really in a better position to judge whether individual 
origins are trustworthy than the certificate owner?

Gili

Received on Sunday, 15 June 2014 22:23:41 UTC