- From: Henry Story <henry.story@bblfish.net>
- Date: Thu, 29 Mar 2012 08:12:36 +0200
- To: "Adrien W. de Croy" <adrien@qbik.com>
- Cc: "patrick mcmanus" <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 29 Mar 2012, at 01:37, Adrien W. de Croy wrote: > > Another topical issue relates to infrastructure providers and security > concerns about eavesdropping. Your network infrastructure starts > phoning home using TLS and you'll have some nervous admins. Some > communication needs to be demonstrably open and transparent. It is also possible to have TLS with no encryption, guaranteeing message integrity but not confidentiality. > > On the topic of OCSP, there's an existing issue relating to > concentration of risk. If you can break cert validation on millions of sites just by DDoSing a couple OCSP servers, then that will become a > bigger problem as TLS gets rolled out. > > The requirements to be able to issue certificates will need to be > strengthened to enforce bullet-proof validation infrastructure. We > already have issues with access to OCSP servers for validation. > > Adrien Social Web Architect http://bblfish.net/
Received on Thursday, 29 March 2012 06:13:19 UTC