Return-Path: X-Original-To: apmail-incubator-flex-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-flex-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7CD7297CB for ; Mon, 20 Feb 2012 17:10:40 +0000 (UTC) Received: (qmail 15855 invoked by uid 500); 20 Feb 2012 17:10:40 -0000 Delivered-To: apmail-incubator-flex-dev-archive@incubator.apache.org Received: (qmail 15821 invoked by uid 500); 20 Feb 2012 17:10:40 -0000 Mailing-List: contact flex-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: flex-dev@incubator.apache.org Delivered-To: mailing list flex-dev@incubator.apache.org Received: (qmail 15809 invoked by uid 99); 20 Feb 2012 17:10:39 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Feb 2012 17:10:39 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [213.175.222.94] (HELO brutha.creative-cognition.net) (213.175.222.94) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Feb 2012 17:10:32 +0000 Received: from helius.demon.co.uk ([80.177.3.26] helo=[192.168.0.5]) by brutha.creative-cognition.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1RzWkc-0004kO-V6 for flex-dev@incubator.apache.org; Mon, 20 Feb 2012 17:10:11 +0000 Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Apple Message framework v1257) Subject: Re: Signed RSL from Apache From: Paul Evans In-Reply-To: Date: Mon, 20 Feb 2012 17:10:08 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: flex-dev@incubator.apache.org X-Mailer: Apple Mail (2.1257) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - brutha.creative-cognition.net X-AntiAbuse: Original Domain - incubator.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - creative-cognition.co.uk On 20 Feb 2012, at 16:56, Omar Gonzalez wrote: > 1.) security and 2.) Flash Player RSL caching at a global > level (all domains), > Having Apache host RSLs would help us to > resolve #1 as Adobe will no longer host our RSLs. I hope that's clear = and > that I've gotten that all correct, someone correct me if I'm wrong = here > please. RE #1, much this afternoon's discussion has been that unless they are = signed or can in some other secure way authenticated at runtime, then #2 = is likely unviable due to exposure to a 'man-in-the-middle' which issue = Alex eluded to back in january: On 5 Jan 2012, at 17:15, Alex Harui wrote: > There are no plans at this time to host RSLs somewhere. It might be > possible if we get enough support for it. However, they won't be = signed and > I'm concerned about the security implications of that. I'm not a = security > expert, but I believe unsigned RSLs will leave you exposed to a > man-in-the-middle attack, at that alone might be sufficient to kill = any > momemtum for a central place to pick up RSLs.