On Mon, Feb 23, 2009 at 9:32 AM, Adam Barth <w...@adambarth.com> wrote:
> On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <b...@google.com> wrote: > > I don't see why - if www.us.example.com chooses to delegate to > > www.hq.example.com, that that is its affair, not ours, surely? > > Following redirects is insecure for sites that let users configure > redirects. > > Every time you trade away security like this, you make it more likely > that host-meta will be unusable for secure metadata. If host-meta is > unsuitable for secure metadata, folks that require security will just > work around host-meta by creating a "secure-meta." I can't tell you > which of the security compromises will cause this to happen. Security > is often a "death of a thousand paper cuts" that eventually add up to > you being owned. I don't understand this reasoning. 1. The host-meta spec allows delegation to other domains/hosts 2. Secure app does not allow redirection to other domains/hosts 3. Secure app does not use host-meta and instead secure-meta, as apposed to, say, using host-meta and not following redirects to other sites? For secure app to be secure re:no-redirect-rule it must in any way perform the check that the redirection is to another realm, surely? There is enormous value in allowing redirects for host-meta. Applications with higher levels of security should implement their own security policies. > > > Adam > > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)