On Wed, May 18, 2011 at 9:33 AM, Winfried Tilanus <[email protected]>wrote:
> An XHR client will also be bound to the same origin principle. So the > domain checking (and the leap of faith in that server) already happened > there. > No it's not; that's what CORS is for. But for other clients your point is valid. Because of the rapid > adaptation of DNSSEC, I believe it would be best to let DNSSEC fix the > problem, and not try to bring an intermediate fix in place in XEP-0156. > That would be the right place to fix the issue anyway, because it > started with not trusting DNS in the first place. > It's a mistake to have security depending on DNS, when XMPP itself is carefully designed not to do so. It's a complex and unnecessary security dependency, making BOSH implementations and deployments much more complicated than XMPP. There also seems to be a fundamental issue with depending on DNSSEC when also depending on TLS certificates: there are two separate trust chains. With TLS, root CAs have to be trusted; with DNSSEC, DNS registrars have to be trusted. By not trusting DNS, an entire chain of trust is avoided. -- Glenn Maynard
