- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 26 Jun 2006 16:58:41 +0000 (UTC)
On Mon, 26 Jun 2006, Gervase Markham wrote: > > > > interface StorageItem { > > attribute boolean secure; > > attribute DOMString value; > > }; > > I would like to suggest the the "secure" attribute be an integer rather > than a boolean, initially with 0 meaning insecure, and 1 meaning secure. > > So, for example, you could have StorageItems which were only returned if > the page on the site was secured with a new EV cert, and was not > accessible to pages which had an ordinary cert or no cert. Is it ever possible to get an "ordinary cert" which claims to identify some domain, but which was not purchased by the owners of that domain? The only reason for the "secure" attribute is to avoid DNS spoofing; the flag has two values -- allow DNS to be spoofed and return the item whether or not the site was spoofed, and only return the item if the site's certificate matched the domain name of the site. I'm happy to make it a tristate flag, but I'd want to better understand why that would make it more secure. If it would make it more secure, that would imply some pretty worrying things about TLS today. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 26 June 2006 09:58:41 UTC