W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 29 Mar 2012 08:12:36 +0200
Cc: "patrick mcmanus" <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <AF5AA884-609F-400A-9CA9-4138020ED935@bblfish.net>
To: "Adrien W. de Croy" <adrien@qbik.com>

On 29 Mar 2012, at 01:37, Adrien W. de Croy wrote:

> Another topical issue relates to infrastructure providers and security
> concerns about eavesdropping.  Your network infrastructure starts
> phoning home using TLS and you'll have some nervous admins.  Some
> communication needs to be demonstrably open and transparent.

It is also possible to have TLS with no encryption, guaranteeing 
message integrity but not confidentiality.

> On the topic of OCSP, there's an existing issue relating to
> concentration of risk.  If you can break cert validation on millions of sites just by DDoSing a couple OCSP servers, then that will become a
> bigger problem as TLS gets rolled out.
> The requirements to be able to issue certificates will need to be
> strengthened to enforce bullet-proof validation infrastructure.  We
> already have issues with access to OCSP servers for validation.
> Adrien

Social Web Architect
Received on Thursday, 29 March 2012 06:13:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:01 UTC