WRT DNS rebinding - my initial reaction is that this isn't the proper
place to fix this problem; it's not unique by any means to this
proposal.
My inclination, then, would be to note DNS rebinding as a risk in
Security Considerations that prudent clients can protect themselves
against, if necessary.
Luckily, the IETF has mechanisms in place to get security reviews of
proposals, so we can avail ourselves of that to get more definitive
advice.
Cheers,
On 12/02/2009, at 7:31 AM, Adam Barth wrote:
On Wed, Feb 11, 2009 at 11:52 AM, Eran Hammer-Lahav <e...@hueniverse.com
> wrote:
Your approach is wrong. Host-meta should not be trying to address
such
security concerns.
Ignoring security problems doesn't make them go away. It just means
you'll have to pay the piper more later.
Applications making use of it should. There are plenty of
applications where no one care about security. Obviously,
crossdomain.xml
needs to be secure, since, well, it is all about that.
What's the point of a central metadata repository that can't handle
the most popular use case of metadata?
An application which strict security requirement should pay
attention to the
experience you are referring to. We certainly agree on that. But
that is
application-specific.
Here's what I recommend:
1) Change the scope of the host-meta to default to the origin of the
URL from which it was retrieved (as computed by the algorithm in
draft-abarth-origin).
2) Let particular applications narrow this scope if they require
additional granularity.
Adam
--
Mark Nottingham http://www.mnot.net/
