[certid] Wildcards for serving untrusted web content / same origin policy

Matt McCutchen <matt@mattmccutchen.net> Fri, 17 September 2010 03:37 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=GdNlt2MW/gkNbrnjsPvZTzbPEZjeSbQCKyDZ2ur3muJ q/DpKkXWVyme9X49xwEPzLYpf9a4lw23BDdUS+RxqzhEEigZaNtj2UzQhLeVtZlZ xElmpkfpIlB6IAkTFoBw7UJkJd8XmI6GpE7ZqfUteD0ct6NAH38d5orYhLdnMY2A =
From: Matt McCutchen <matt@mattmccutchen.net>
To: certid@ietf.org
In-Reply-To: <5F42C835-3211-48A7-9375-CE45A9C53739@jpl.nasa.gov>
References: <201009160108.o8G18Sdm028897@fs4113.wdf.sap.corp> <5F42C835-3211-48A7-9375-CE45A9C53739@jpl.nasa.gov>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 16 Sep 2010 23:37:31 -0400
Message-ID: <1284694651.5722.234.camel@mattlaptop2.local>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [certid] Wildcards for serving untrusted web content / same origin policy
Precedence: list

On Thu, 2010-09-16 at 09:55 -0700, Henry B. Hotz wrote:
> I believe wildcards are a misfeature [...]

One important use case for wildcards is a web server that serves
untrusted content spread out over a large or infinite set of subdomains
to get increased protection from the same origin policy implemented by
modern browsers.  The server may use one subdomain per user who
publishes content, or even a fresh subdomain for every request.  A
wildcard certificate is a much cleaner solution than having to automate
the generation of a certificate per user, let alone per request.

We can absolutely blame the inflexible same origin policy for
necessitating the use of different host names (which also breaks TLS
session sharing), but realistically it isn't changing any time soon.

(Pardon me if this has already been pointed out.)

-- 
Matt

[certid] Fwd: secdir review of draft-saintandre-t… Peter Saint-Andre
Re: [certid] Fwd: secdir review of draft-saintand… Henry B. Hotz
Re: [certid] Fwd: secdir review of Martin Rex
Re: [certid] Fwd: secdir review of draft-saintand… Matt McCutchen
Re: [certid] Fwd: secdir review of draft-saintand… Matt McCutchen
Re: [certid] Fwd: secdir review of Martin Rex
Re: [certid] Fwd: secdir review of draft-saintand… Matt McCutchen
Re: [certid] Fwd: secdir review of draft-saintand… Phillip Hallam-Baker
Re: [certid] Fwd: secdir review of Martin Rex
Re: [certid] Fwd: secdir review of Henry B. Hotz
Re: [certid] Fwd: secdir review of Martin Rex
Re: [certid] Fwd: secdir review of Martin Rex
[certid] DNSSEC-based name canonicalization Matt McCutchen
[certid] Wildcards for serving untrusted web cont… Matt McCutchen
Re: [certid] DNSSEC-based name canonicalization Martin Rex
Re: [certid] DNSSEC-based name canonicalization Peter Gutmann
Re: [certid] secdir review of draft-saintandre-tl… Peter Saint-Andre
Re: [certid] Fwd: secdir review of draft-saintand… Peter Saint-Andre
Re: [certid] [secdir] secdir review of draft-sain… Peter Saint-Andre
Re: [certid] secdir review of draft-saintandre-tl… Barry Leiba
Re: [certid] Fwd: secdir review of draft-saintand… Barry Leiba
Re: [certid] secdir review of draft-saintandre-tl… Peter Saint-Andre
Re: [certid] [secdir] secdir review of draft-sain… Peter Saint-Andre
Re: [certid] [secdir] secdir review of draft-sain… Jeffrey Hutzelman
Re: [certid] [secdir] secdir review of draft-sain… Jeffrey Hutzelman
Re: [certid] [secdir] secdir review of draft-sain… Peter Saint-Andre
Re: [certid] [secdir] secdir review of draft-sain… ArkanoiD
Re: [certid] [TLS] [secdir] secdir review of draf… Marsh Ray
Re: [certid] [TLS] [secdir] secdir review of draf… Jeffrey A. Williams
Re: [certid] [TLS] [secdir] secdir review of draf… Marsh Ray
Re: [certid] [TLS] [secdir] secdir Martin Rex
Re: [certid] [TLS] [secdir] secdir review of draf… Richard L. Barnes
Re: [certid] [TLS] [secdir] secdir review of draf… Marsh Ray
[certid] Bad certificate handling Matt McCutchen
Re: [certid] [TLS] [secdir] secdir review of Martin Rex
Re: [certid] [TLS] [secdir] secdir review of Robert Relyea
Re: [certid] [TLS] [secdir] secdir review of draf… =JeffH
Re: [certid] [TLS] [secdir] secdir review of Nicolas Williams
Re: [certid] DNSSEC-based name canonicalization Peter Saint-Andre