- From: Jeffrey Walton <noloader@gmail.com>
- Date: Mon, 18 May 2015 13:57:16 -0400
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>, Rigo Wenning <rigo@w3.org>
On Mon, May 18, 2015 at 8:54 AM, GALINDO Virginie <Virginie.Galindo@gemalto.com> wrote: > Dear all, > > In case you missed it, the second report of STREWS has been delivered last > week, focusing on the security web architecture (and tools to improve the > web security). > > It is available here : > http://www.strews.eu/images/StrewsWebSecurityArchitecture.pdf > > Any question, comment, should be directed to Rigo (CCed). The treatment of DNS and the section on DNSSEC is very good. It makes a lot of good points on why browsers are not using information from DNS for things like CA (CAA Resource Records) and public key pinsets (SSHFP-like resource records specifying pinsets). The document seems to be missing a treatment of a subject, though. The subject is the integrity and authenticity of the WHOIS information used in Domain Validation. On the surface, it appears the integrity and authenticity of the database is accepted when performing domain validations, but later rejected for things like additional resource records that could provide context specific security information. But I'm probably reading or parsing it incorrectly. Jeff
Received on Monday, 18 May 2015 17:57:43 UTC