- From: Eric Rescorla <ekr@rtfm.com>
- Date: Mon, 7 May 2012 16:30:34 -0700
- To: Peter Saint-Andre <stpeter@stpeter.im>
- Cc: Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>, Andrew Sullivan <ajs@anvilwalrusden.com>
On Sun, May 6, 2012 at 6:17 PM, Peter Saint-Andre <stpeter@stpeter.im> wrote: > On 5/5/12 4:17 AM, Thomas Roessler wrote: >> For your information: >> http://tools.ietf.org/html/draft-sullivan-domain-origin-assert-00 >> >> This seems targeted at situations where different domain names want to assert that they're something like same-origin, and for use by security policies implemented in browsers. > > Hi Thomas, > > Having talked with Andrew and other folks quite a bit about this topic > (most recently at IETF 83), I'd say that ultimately it is directed at > finding a way to build a scalable approach to solving the same problem > that is solved right now with the public suffix list. I guess I don't see anything wrong with this, but I don't see how it is going to be deployable, either. The sticking point is incremental deployment In the medium (arguably long) term a large fraction of browsers will not understand this mechanism (and an even larger one will likely not do DNSSEC). So, that means that any information published this way must also be replicated elsewhere, or the site won't be usable for a large fraction of browsers, which severely reduces the value of the mechanism for site operators. -Ekr
Received on Monday, 7 May 2012 23:31:44 UTC