- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 23 Feb 2009 09:32:32 -0800
- To: Ben Laurie <benl@google.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <benl@google.com> wrote: > I don't see why - if www.us.example.com chooses to delegate to > www.hq.example.com, that that is its affair, not ours, surely? Following redirects is insecure for sites that let users configure redirects. Every time you trade away security like this, you make it more likely that host-meta will be unusable for secure metadata. If host-meta is unsuitable for secure metadata, folks that require security will just work around host-meta by creating a "secure-meta." I can't tell you which of the security compromises will cause this to happen. Security is often a "death of a thousand paper cuts" that eventually add up to you being owned. Adam
Received on Monday, 23 February 2009 17:34:23 UTC