- From: Breno de Medeiros <breno@google.com>
- Date: Wed, 3 Dec 2008 09:32:47 -0800
- To: Ben Laurie <benl@google.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>, Jonathan Rees <jar@creativecommons.org>
There is a bit too much emphasis put on the word 'authoritative' here. There is so much that can be considered authoritative about an unsigned document, even if served through HTTPS. Serving a document over HTTPS just requires defacing a web site, something not that hard to do considering the great variety of vulnerable server software out there. When we start talking about signing such documents, and where the trust is coming from, then maybe the word authoritative will take a real-world significance. However, from what I have been hearing, the current proposal does not plan for signing of site-meta, and the links pointed to by it will have to carry implicit trust (maybe they will be signed documents, or maybe they are just informative). It is probably better to think of site-meta as a 'hint' of where to find things. Which, come to think of it, in these days of readily spoofable DNS resolution, it also the only level of assurance that DNS provides. As Ben pointed out, DNS is happy to be authoritative over pretty much anything and provide assurance about nothing. On Wed, Dec 3, 2008 at 7:40 AM, Ben Laurie <benl@google.com> wrote: > > On Wed, Dec 3, 2008 at 12:58 PM, Mark Nottingham <mnot@mnot.net> wrote: >> On 03/12/2008, at 11:32 PM, Ben Laurie wrote: >>> There are standards for XSS??? >> >> There's a de facto standard in the browsers (same origin), and these folks >> are working towards something more formal, maybe; >> http://www.w3.org/2006/WSC/ > > Same origin policy isn't really all that much to do with cross-site > scripting, surely? > > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)
Received on Wednesday, 3 December 2008 17:33:27 UTC