Re: [Bug 22214] How long do permissions persist? from Martin Thomson on 2014-06-16 (public-media-capture@w3.org from June 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 16 Jun 2014 09:36:16 -0700
To: Harald Alvestrand <harald@alvestrand.no>
Cc: "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <CABkgnnUvrNP5D_uckGzX6CbzaE82+f466GGBSJwkrB9miG7seg@mail.gmail.com>

On 16 June 2014 09:04, Harald Alvestrand <harald@alvestrand.no> wrote:
> Is a user really in a better position to judge whether individual origins
> are trustworthy than the certificate owner?
>
>
> If we were to put in the standard that permission is granted to C and
> everyone he signs for, instead of to either A or B, we deny operators the
> ability to host two services with different levels of trust under the same
> certificate.
>
> I don't think that's a good move.

I think that the key here is that a user has only got the domain name
(and port) to base decisions on.  I think that it would be surprising
if example.com were able to use my camera based on a permissions grant
to example.org.  Users won't know that they were the same entity; they
aren't checking certificates for subjectAltName values.

Received on Monday, 16 June 2014 16:36:47 UTC