Hi Thomas, On Apr 16, 2009, at 17:23 , Thomas Roessler wrote:
1. How is the information in this access element going to be used at installation time or distribution time? I'd like to see some spec text that explains this.
My understanding is that this is like the feature element and others: it is metadata and its enforcement depends on a security policy. When that security policy intervenes (I would expect at runtime, for every access) is presumably orthogonal.
2. If one of the risks we're interested in is firewall traversal, then then proposed domain name wildcard has a somewhat different risk profile than just a single domain name: while you can do a DNS rebinding attack for a single hostname, that's a well-known issue, and hopefully worked around in today's browser engines. With the wildcard, though, it becomes relatively easy to do firewall traversal: For example, one could simply generate DNS records n.n.n.n.example.com that point to the IP address n.n.n.n.
I think that this is also meant to be orthogonal to firewalls, but maybe I'm missing something?
-- Robin Berjon - http://berjon.com/ Feel like hiring me? Go to http://robineko.com/
