- From: cowwoc <cowwoc@bbs.darktech.org>
- Date: Mon, 16 Jun 2014 16:25:13 -0400
- To: public-media-capture@w3.org
On 16/06/2014 12:36 PM, Martin Thomson wrote: > On 16 June 2014 09:04, Harald Alvestrand <harald@alvestrand.no> wrote: >> Is a user really in a better position to judge whether individual origins >> are trustworthy than the certificate owner? >> >> >> If we were to put in the standard that permission is granted to C and >> everyone he signs for, instead of to either A or B, we deny operators the >> ability to host two services with different levels of trust under the same >> certificate. >> >> I don't think that's a good move. > I think that the key here is that a user has only got the domain name > (and port) to base decisions on. I think that it would be surprising > if example.com were able to use my camera based on a permissions grant > to example.org. Users won't know that they were the same entity; they > aren't checking certificates for subjectAltName values. That's mostly true, though I would point out that Chrome's "origin chip" is slowly eroding that distinction. Today they're stripping the URL path. Tomorrow, "google.com" might show up as "Google". Still, I think you've both made a compelling argument for maintaining the status quo. Thank you for the discussion! Gili
Received on Monday, 16 June 2014 20:25:45 UTC