Hello Everyone, In my quest to replace passwords with client certificates I've come up with a way to replace the current hostname:port based Same Origin Policy with one based upon Public Key Cryptography.
It wasn't possible with the global CAs as they only certify a domain name. But with DNSSEC and DANE, not only can we *safely* use self signed certificates for our servers, we can run our own CA and sign our server certificate with that. When we *restrict* the use of our own CA to sign *only* the servers that we control, we tie them together into a group *identified* by our local CA's Root Certificate. Browsers can check whether resources on a page are signed with the same CA. If so (and if it's not a global CA), the browser can decide to place these resources in a single trust domain. Resources not signed by our own local CA are placed in a different (lower) trust domain. The browser can run our javascript application, say web mail or photo manipulation safely while avoiding a hostile javascript from a spying or hacked advertisement platform. I call it the Cryptographic Same Origin Policy. For details please read [1] With regards, Guido Witmond. [1] http://witmond.nl/blog/2013/03/23/Cryptographic-same-origin-policy.html _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
