Re: Aligning grouping of resources in POWDER and WAF Access Control.

We took the view that, with few exceptions, if you own example.com, you 
have complete control over example.example.com too.

It means that, in the POWDER world, you could publish a description of 
"com" - i.e. everything on .com. It may be pretty meaningless, but, 
well, when did language stop people saying meaningless things? :-)

It's tempting to try and add restrictions such as requiring at least a 
2nd level domain. This might have the desired effect for .com, .org etc, 
but falls down in places where third level domains are the norm (.co.uk, 
.com.au, .com.cn etc.)

Phil

Jonas Sicking wrote:
> Jonas Sicking wrote:
>>
>> Anne van Kesteren wrote:
>>> On Mon, 23 Jul 2007 20:29:42 +0200, Jonas Sicking <jonas@sicking.cc> 
>>> wrote:
>>>>>  OK, forget the ? notation. Your examples are very clear and we 
>>>>> seem in full alignment that <foo.com> includes sub domains but 
>>>>> <*.foo.com> wouldn't include foo.com itself.
>>>>
>>>> Sounds great. What do other people think of switching to this 
>>>> syntax? The difference from the current spec would be to change
>>>
>>> The only slightly confusing thing is that <http://foo.com> also 
>>> matches <http://bar.foo.com> but I suppose that's ok.
>>
>> Yeah, I agree, but given all other alternatives I think this is 
>> better. If for example someone does
>>
>> CAC: allow <*> exclude <http://evil.com>
>>
>> is most likely useless since the owners of very.evil.com are the same 
>> ones as evil.com. So it's not unlikely that the rule can be easily 
>> circumvented.
>>
>> It's not ideal, but it's the least bad suggestion yet IMHO.
> 
> Sorry if the above is confusing. What I meant was that the above bad 
> scenario can happen unless we let http://evil.com match all subdomains 
> as well.
> 
> / Jonas

Received on Thursday, 26 July 2007 05:37:36 UTC