On 12/01/15 19:18, Chris Hartmann wrote: > 2) a.com forms a business relationship with b.com to perform a > business function on its behalf (payment processor, blog, whatever). > The landing page is b.com/a
Would it not be reasonable to say that, when this sort of relationship is set up, best practice is to do DNS delegation so that the landing page is on b.a.com or some other subdomain of a.com? > 3) Bob visits b.com/a and notices that the page claims to be > affiliated and owned by a.com ...because then, both the DNS info and the claim would match. > 4) How can Bob, in absolute terms, trust that b.com/a is affiliated > and a delegated service by a.com? (say, prior to submitting sensitive > information) Because the domain used is a subdomain of a.com. Gerv _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
