It will, if extended to host-meta (it is currently discussed for XRD documents), but either way will not be part of the host-meta spec.
EHL > -----Original Message----- > From: Ben Laurie [mailto:b...@google.com] > Sent: Tuesday, February 24, 2009 1:55 AM > To: Adam Barth > Cc: Mark Nottingham; Eran Hammer-Lahav; www-talk@w3.org > Subject: Re: Origin vs Authority; use of HTTPS (draft-nottingham-site- > meta-01) > > On Mon, Feb 23, 2009 at 5:32 PM, Adam Barth <w...@adambarth.com> wrote: > > On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <b...@google.com> wrote: > >> I don't see why - if www.us.example.com chooses to delegate to > >> www.hq.example.com, that that is its affair, not ours, surely? > > > > Following redirects is insecure for sites that let users configure > redirects. > > > > Every time you trade away security like this, you make it more likely > > that host-meta will be unusable for secure metadata. If host-meta is > > unsuitable for secure metadata, folks that require security will just > > work around host-meta by creating a "secure-meta." I can't tell you > > which of the security compromises will cause this to happen. > Security > > is often a "death of a thousand paper cuts" that eventually add up to > > you being owned. > > I thought signing was supposed to deal with the issues around > redirects?