Since XRD is maybe the first security-sensitive application to depend on this proposed spec, I think it is appropriate that it work as a laboratory for the signature-based approach.
On Tue, Feb 24, 2009 at 8:23 AM, Eran Hammer-Lahav <e...@hueniverse.com>wrote: > It will, if extended to host-meta (it is currently discussed for XRD > documents), but either way will not be part of the host-meta spec. > > EHL > > > -----Original Message----- > > From: Ben Laurie [mailto:b...@google.com] > > Sent: Tuesday, February 24, 2009 1:55 AM > > To: Adam Barth > > Cc: Mark Nottingham; Eran Hammer-Lahav; www-talk@w3.org > > Subject: Re: Origin vs Authority; use of HTTPS (draft-nottingham-site- > > meta-01) > > > > On Mon, Feb 23, 2009 at 5:32 PM, Adam Barth <w...@adambarth.com> wrote: > > > On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <b...@google.com> wrote: > > >> I don't see why - if www.us.example.com chooses to delegate to > > >> www.hq.example.com, that that is its affair, not ours, surely? > > > > > > Following redirects is insecure for sites that let users configure > > redirects. > > > > > > Every time you trade away security like this, you make it more likely > > > that host-meta will be unusable for secure metadata. If host-meta is > > > unsuitable for secure metadata, folks that require security will just > > > work around host-meta by creating a "secure-meta." I can't tell you > > > which of the security compromises will cause this to happen. > > Security > > > is often a "death of a thousand paper cuts" that eventually add up to > > > you being owned. > > > > I thought signing was supposed to deal with the issues around > > redirects? > > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)