- From: Jonathan Rees <jar@creativecommons.org>
- Date: Tue, 29 Dec 2009 20:14:01 -0500
- To: Tyler Close <tyler.close@gmail.com>
- Cc: www-tag@w3.org, "Mark S. Miller" <erights@google.com>
One thing puzzled me: The only really secure solution (against DNS attacks, MITM, and so on) is to put the unguessable part in the fragid. This would point directly at the webkeys approach. The google calendar case is something like http://www.google.com/calendar/hosted/creativecommons.org/embed?src=jonathan.rees%40gmail.com&ctz=America/New_York&pvttk=ebbb36156aaf108300c96ad196573f5d (The bits have been changed to protect the innocent.) Note (1) http not https, (2) unguessable portion before #, not after #. Do we endorse this kind of thing, tolerate it, or advise against it? Are any private URIs other than web-keys OK? I guess I was trying to hedge, which in retrospect was a bad idea. Jonathan
Received on Wednesday, 30 December 2009 01:14:36 UTC