- From: Andrew Sullivan <ajs@anvilwalrusden.com>
- Date: Mon, 7 May 2012 08:46:45 -0400
- To: Peter Saint-Andre <stpeter@stpeter.im>
- Cc: Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
On Sun, May 06, 2012 at 07:17:43PM -0600, Peter Saint-Andre wrote: > On 5/5/12 4:17 AM, Thomas Roessler wrote: > > For your information: > > http://tools.ietf.org/html/draft-sullivan-domain-origin-assert-00 > > > > This seems targeted at situations where different domain names want to assert that they're something like same-origin, and for use by security policies implemented in browsers. > > Hi Thomas, > > Having talked with Andrew and other folks quite a bit about this topic > (most recently at IETF 83), I'd say that ultimately it is directed at > finding a way to build a scalable approach to solving the same problem > that is solved right now with the public suffix list. Well, both, really. In my opinion, the public suffix list has a number of problems, one of which is that its categorization isn't quite right: what it's trying to communicate is whether a given domain is a registration-centric domain across organizational boundaries. Such an assertion is the flip side of the same-origin policy, and therefore I think the two issues can be addressed in a complementary way using one mechanism. At least, I hope so. Thanks to Thomas, in any case, for forwarding the mention. Any review is appreciated. Best, A -- Andrew Sullivan ajs@anvilwalrusden.com
Received on Wednesday, 9 May 2012 21:25:07 UTC