Sub-domain granularity: the poverty of the domain name as the only hook for security from Tim Berners-Lee on 2015-03-16 (www-tag@w3.org from March 2015)

From: Tim Berners-Lee <timbl@w3.org>
Date: Mon, 16 Mar 2015 09:28:34 -0400
To: Public TAG List <www-tag@w3.org>
Cc: Mark Nottingham <mnot@mnot.net>
Message-Id: <11B4815B-DA69-47F2-AC2C-EE1CBBE34D04@w3.org>

The HSTS spec  http://tools.ietf.org/html/rfc6797 is a good start but it is not useful for serious websites which have many separate parts which have to have different policies, management, etc.

Similarly the Same Origin Policy in general is very hampering and in that it only works at the domain level not at any path level.   It would have been not very much harder to set both of them up to work on subtrees within the domain, and both would have been much more powerful and useful.  I propose they both be fixed in future. 

The result of these two has been a pain and many perverse incentives and side-effects, for just one example github.com/linkdata having to half-move to linkeddata.github.com (which is now a mess and loses locality of linking between the two) and w3.org not being able to move to HTTPS at all because of being unable to apply HTTS path by path. 

Just saying.

Timbl

Received on Monday, 16 March 2015 13:28:41 UTC