- From: Eran Hammer-Lahav <eran@hueniverse.com>
- Date: Mon, 23 Feb 2009 13:04:34 -0700
- To: Adam Barth <w3c@adambarth.com>
- CC: Breno de Medeiros <breno@google.com>, Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, "www-talk@w3.org" <www-talk@w3.org>
On 2/23/09 11:46 AM, "Adam Barth" <w3c@adambarth.com> wrote: > Reality is not as binary as you imply. There are a spectrum of threat > models corresponding to different attacker abilities. Exactly! And I am already aware of one effort looking to add a trust layer to host-meta. Your suggestion of competing solutions fails simple test. It is easier to make the use of host-meta more restrictive (perhaps as you suggested) than invent a completely new one. Nothing in host-meta prevents you from implementing these restrictions (content type, redirections). By itself, host-meta includes no sensitive information or anything that can pose a threat. That will come from applications using it as a facility, just like they use HTTP. We view standards architecture in a very different way. I want to create building blocks and only standardize where there is an overwhelming value in posing restrictions. EHL
Received on Monday, 23 February 2009 20:05:15 UTC