W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 22 Jun 2009 15:24:45 -0700
Message-ID: <7789133a0906221524h65e81138vf20e2a9d3658d49f@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, Jun 22, 2009 at 3:09 PM, Tyler Close<tyler.close@gmail.com> wrote:
>> Why do you assume my router has a private IP address?
> Because it does?

I've used several networks that used several networks that used public
IP addresses behind firewalls and that relied on connectivity
security.  If I recall correctly, the network at the computer science
department at Stanford is configured this way and they use
connectivity to control access to their printers.

In any case, I don't think it's a robust assumption for the future of
web security.  What happens when IPv6 causes every toaster to have a
public IP address?

>>  It seems fragile and magical to hang our hat on that for security.
> No more fragile and magical than a home router hanging its hat on
> connectivity for security.

Now we're going in circles.  I've given you a number of use cases
where connectivity security makes sense.  You alternatively insist
that (1) connectivity / IP-based authentication is a fragile/bad idea
and (2) that you aren't insisting that!

> That's not an accurate portrayal of my argument. Try again.

Can you explain your argument in simple steps like the above?  I
clearly don't understand your position.

Received on Monday, 22 June 2009 22:25:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC