- From: Andrew Sullivan <ajs@anvilwalrusden.com>
- Date: Sat, 29 Aug 2015 10:17:03 -0400
- To: public-web-security@w3.org
On Sat, Aug 29, 2015 at 10:21:12AM +0200, Anders Rundgren wrote: > A core part of the Web Security model is based on SOP. > > However, the world (outside of the Web) isn't working according this model; it is rather ad-hoc. > Some of us believe that part of the reason the world isn't working that way is that the SOP elevates the value of information you get from a domain name in a URL. We're trying to do something about it in the IETF's DBOUND WG, and we could use some help. In particular, > This is where it (IMO) gets wrong. If Super-Providers are trusted for mediating access to arbitrary domains, why couldn't [properly designed] applications also perform this task? > I believe that the problem is partly that it's hard for an operator of a site to declare complicated policies about relationships with other domains on the Internet. I think that the efforts in DBOUND are at least a step forward, but I worry that people think that a slightly more capable maintenance regime for the PSL (public suffix list) will be enough. To me, the PSL is already inadequate and just trying to make its maintenance easier is a waste of effort. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
Received on Saturday, 29 August 2015 14:17:30 UTC