Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

WRT DNS rebinding - my initial reaction is that this isn't the proper  
place to fix this problem; it's not unique by any means to this  
proposal.

My inclination, then, would be to note DNS rebinding as a risk in  
Security Considerations that prudent clients can protect themselves  
against, if necessary.

Luckily, the IETF has mechanisms in place to get security reviews of  
proposals, so we can avail ourselves of that to get more definitive  
advice.

Cheers,



On 12/02/2009, at 7:31 AM, Adam Barth wrote:

> On Wed, Feb 11, 2009 at 11:52 AM, Eran Hammer-Lahav <eran@hueniverse.com 
> > wrote:
>> Your approach is wrong. Host-meta should not be trying to address  
>> such
>> security concerns.
>
> Ignoring security problems doesn't make them go away.  It just means
> you'll have to pay the piper more later.
>
>> Applications making use of it should. There are plenty of
>> applications where no one care about security. Obviously,  
>> crossdomain.xml
>> needs to be secure, since, well, it is all about that.
>
> What's the point of a central metadata repository that can't handle
> the most popular use case of metadata?
>
>> An application which strict security requirement should pay  
>> attention to the
>> experience you are referring to. We certainly agree on that. But  
>> that is
>> application-specific.
>
> Here's what I recommend:
>
> 1) Change the scope of the host-meta to default to the origin of the
> URL from which it was retrieved (as computed by the algorithm in
> draft-abarth-origin).
>
> 2) Let particular applications narrow this scope if they require
> additional granularity.
>
> Adam


--
Mark Nottingham     http://www.mnot.net/

Received on Thursday, 12 February 2009 11:13:46 UTC