- From: Andrew Sullivan <ajs@anvilwalrusden.com>
- Date: Sun, 30 Aug 2015 12:06:47 -0400
- To: public-web-security@w3.org
On Sun, Aug 30, 2015 at 06:46:21AM +0200, Anders Rundgren wrote: > I think I understand what you are trying to accomplish. > DBOUND is about resource sharing between related domains, right? > > That's cool but I'm working in other end of the spectrum where Unrelated, Competing, > and Independent domains are requesting users for resources like money. Well, this depends on what you mean by "related". The current discussion got whittled down to just directly-related domains, because that seemed to be the only thing anyone cared about. But IMO, if example.com uses payment processor processor-example.com, then there's a relationship between them. The point of putting the information online in some way (and in particular, in putting the data up in a bilateral way so that a user could check both sides to see whether they agree) is to allow users to make practical decisions (or more accurately, allow user agents to make such decisions automatically, since most users are not going to be able to make such decisions reasonably). There ought to be a way for example.com to publish, "I use processor-example.com," and for processor-example.com to say, "I confirm that example.com is using us." In the presence of that information, it's possible to proceed with greater assurance that there's no attack going on and without having a magic but small list of (as you call them) Super-Providers. At least, that's why I think these cases turn out to be the same problem. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
Received on Sunday, 30 August 2015 16:07:13 UTC