Since XRD is maybe the first security-sensitive application to depend on
this proposed spec, I think it is appropriate that it work as a laboratory
for the signature-based approach.
On Tue, Feb 24, 2009 at 8:23 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote:
> It will, if extended to host-meta (it is currently discussed for XRD
> documents), but either way will not be part of the host-meta spec.
>
> EHL
>
> > -----Original Message-----
> > From: Ben Laurie [mailto:benl@google.com]
> > Sent: Tuesday, February 24, 2009 1:55 AM
> > To: Adam Barth
> > Cc: Mark Nottingham; Eran Hammer-Lahav; www-talk@w3.org
> > Subject: Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-
> > meta-01)
> >
> > On Mon, Feb 23, 2009 at 5:32 PM, Adam Barth <w3c@adambarth.com> wrote:
> > > On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <benl@google.com> wrote:
> > >> I don't see why - if www.us.example.com chooses to delegate to
> > >> www.hq.example.com, that that is its affair, not ours, surely?
> > >
> > > Following redirects is insecure for sites that let users configure
> > redirects.
> > >
> > > Every time you trade away security like this, you make it more likely
> > > that host-meta will be unusable for secure metadata. If host-meta is
> > > unsuitable for secure metadata, folks that require security will just
> > > work around host-meta by creating a "secure-meta." I can't tell you
> > > which of the security compromises will cause this to happen.
> > Security
> > > is often a "death of a thousand paper cuts" that eventually add up to
> > > you being owned.
> >
> > I thought signing was supposed to deal with the issues around
> > redirects?
>
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)