On Wed, Dec 3, 2008 at 5:32 PM, Breno de Medeiros <[EMAIL PROTECTED]> wrote: > There is a bit too much emphasis put on the word 'authoritative' here. > There is so much that can be considered authoritative about an > unsigned document, even if served through HTTPS. Serving a document > over HTTPS just requires defacing a web site, something not that hard > to do considering the great variety of vulnerable server software out > there. > > When we start talking about signing such documents, and where the > trust is coming from, then maybe the word authoritative will take a > real-world significance. > However, from what I have been hearing, the current proposal does not > plan for signing of site-meta,
That seems a shame. > and the links pointed to by it will > have to carry implicit trust (maybe they will be signed documents, or > maybe they are just informative). > > It is probably better to think of site-meta as a 'hint' of where to > find things. Which, come to think of it, in these days of readily > spoofable DNS resolution, it also the only level of assurance that DNS > provides. As Ben pointed out, DNS is happy to be authoritative over > pretty much anything and provide assurance about nothing. To be fair, this is why DNSSEC exists.
