W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

Re: Password change via HTTP

From: Ben Laurie <ben@algroup.co.uk>
Date: Mon, 14 Jun 1999 18:49:39 +0100
Message-ID: <376540B3.6E264EAF@algroup.co.uk>
To: Steve Parker <sparker@well.com>
CC: "'Alex Kodat'" <ALEX@SIRIUS.sirius-software.com>, hallam@ai.mit.edu, http-wg@hplb.hpl.hp.com
Steve Parker wrote:
> 
> Unfortunately, there are problems with certificate security.
> Shamir recently demonstrated how easy it is find the private key
> in a PC because of different entropy of the objects.

Err? And who leaves their private key lying around unencrypted?

> Also, how can I be sure that the "client" serving up the
> certificate is the endpoint? A toolkit like WIDL would appear to
> provide a screen scraping capability for http which effectively
> creates a potential proxy, of which I, at the server end have
> no knowledge. Even if I have a cryptographically secure tunnel,
> and have a certificate, how do I know that someone hasn't added
> their own plumbing to the client?

Why do you care?

> There are times when it pays to use both belt and suspenders ...
> and even that may not be enough.

What were you planning to add to certs+crypto to make it more secure?

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi
Received on Monday, 14 June 1999 18:50:57 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT