On Tue, 18 Dec 2007 15:37:30 +0100, Doyle, Bill <[EMAIL PROTECTED]>
wrote:
Not sure how the web server protects itself - "site should be
protected
from any other requests until it grants access"
## Sorry I was not clear. The Web Server needs to be able to control
its IA boundary. In your description and reply the client provides the
protection.
Issue is that the web server owner looses Information Assurance (IA)
control, this is an issue for my customers. IA control cannot be
handed
over to a 3rd party. For my customers, the web server owners need to
manage the IA settings.
Do you have a more concrete scenario that illustrates this? I'm not
sure I
follow.
## Draft notes that the client becomes the Policy Decision Point, the
IA boundary of the server is extended to include the client.
Since we are trying to prevent the client from sending a dangerous
request, there has to be some interaction with the client. I.e. we have
to send some data to the client to indicate that the dangerous request
should not be performed.
Not sure how you could possibly avoid that?
However, note that "don't send anything different from what you've been
sending before" is considered such an indication. So effectively you are
safe by default.
/ Jonas
