- From: Ben Laurie <benl@google.com>
- Date: Wed, 3 Dec 2008 17:34:43 +0000
- To: Breno de Medeiros <breno@google.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>, Jonathan Rees <jar@creativecommons.org>
On Wed, Dec 3, 2008 at 5:32 PM, Breno de Medeiros <breno@google.com> wrote: > There is a bit too much emphasis put on the word 'authoritative' here. > There is so much that can be considered authoritative about an > unsigned document, even if served through HTTPS. Serving a document > over HTTPS just requires defacing a web site, something not that hard > to do considering the great variety of vulnerable server software out > there. > > When we start talking about signing such documents, and where the > trust is coming from, then maybe the word authoritative will take a > real-world significance. > However, from what I have been hearing, the current proposal does not > plan for signing of site-meta, That seems a shame. > and the links pointed to by it will > have to carry implicit trust (maybe they will be signed documents, or > maybe they are just informative). > > It is probably better to think of site-meta as a 'hint' of where to > find things. Which, come to think of it, in these days of readily > spoofable DNS resolution, it also the only level of assurance that DNS > provides. As Ben pointed out, DNS is happy to be authoritative over > pretty much anything and provide assurance about nothing. To be fair, this is why DNSSEC exists.
Received on Wednesday, 3 December 2008 17:35:20 UTC