On Sat, Aug 29, 2015 at 10:21:12AM +0200, Anders Rundgren wrote: > A core part of the Web Security model is based on SOP. > > However, the world (outside of the Web) isn't working according this model; > it is rather ad-hoc. >
Some of us believe that part of the reason the world isn't working that way is that the SOP elevates the value of information you get from a domain name in a URL. We're trying to do something about it in the IETF's DBOUND WG, and we could use some help. In particular, > This is where it (IMO) gets wrong. If Super-Providers are trusted for > mediating access to arbitrary domains, why couldn't [properly designed] > applications also perform this task? > I believe that the problem is partly that it's hard for an operator of a site to declare complicated policies about relationships with other domains on the Internet. I think that the efforts in DBOUND are at least a step forward, but I worry that people think that a slightly more capable maintenance regime for the PSL (public suffix list) will be enough. To me, the PSL is already inadequate and just trying to make its maintenance easier is a waste of effort. Best regards, A -- Andrew Sullivan a...@anvilwalrusden.com
