- From: Eran Hammer-Lahav <eran@hueniverse.com>
- Date: Tue, 24 Feb 2009 09:23:03 -0700
- To: Ben Laurie <benl@google.com>, Adam Barth <w3c@adambarth.com>
- CC: Mark Nottingham <mnot@mnot.net>, "www-talk@w3.org" <www-talk@w3.org>
It will, if extended to host-meta (it is currently discussed for XRD documents), but either way will not be part of the host-meta spec. EHL > -----Original Message----- > From: Ben Laurie [mailto:benl@google.com] > Sent: Tuesday, February 24, 2009 1:55 AM > To: Adam Barth > Cc: Mark Nottingham; Eran Hammer-Lahav; www-talk@w3.org > Subject: Re: Origin vs Authority; use of HTTPS (draft-nottingham-site- > meta-01) > > On Mon, Feb 23, 2009 at 5:32 PM, Adam Barth <w3c@adambarth.com> wrote: > > On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <benl@google.com> wrote: > >> I don't see why - if www.us.example.com chooses to delegate to > >> www.hq.example.com, that that is its affair, not ours, surely? > > > > Following redirects is insecure for sites that let users configure > redirects. > > > > Every time you trade away security like this, you make it more likely > > that host-meta will be unusable for secure metadata. If host-meta is > > unsuitable for secure metadata, folks that require security will just > > work around host-meta by creating a "secure-meta." I can't tell you > > which of the security compromises will cause this to happen. > Security > > is often a "death of a thousand paper cuts" that eventually add up to > > you being owned. > > I thought signing was supposed to deal with the issues around > redirects?
Received on Tuesday, 24 February 2009 16:23:50 UTC