On 20 Feb 2012, at 16:56, Omar Gonzalez wrote: > 1.) security and 2.) Flash Player RSL caching at a global > level (all domains),
> Having Apache host RSLs would help us to > resolve #1 as Adobe will no longer host our RSLs. I hope that's clear and > that I've gotten that all correct, someone correct me if I'm wrong here > please. RE #1, much this afternoon's discussion has been that unless they are signed or can in some other secure way authenticated at runtime, then #2 is likely unviable due to exposure to a 'man-in-the-middle' which issue Alex eluded to back in january: On 5 Jan 2012, at 17:15, Alex Harui wrote: > There are no plans at this time to host RSLs somewhere. It might be > possible if we get enough support for it. However, they won't be signed and > I'm concerned about the security implications of that. I'm not a security > expert, but I believe unsigned RSLs will leave you exposed to a > man-in-the-middle attack, at that alone might be sufficient to kill any > momemtum for a central place to pick up RSLs.
