W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 29 Mar 2012 08:12:36 +0200
Cc: "patrick mcmanus" <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <AF5AA884-609F-400A-9CA9-4138020ED935@bblfish.net>
To: "Adrien W. de Croy" <adrien@qbik.com>

On 29 Mar 2012, at 01:37, Adrien W. de Croy wrote:

> 
> Another topical issue relates to infrastructure providers and security
> concerns about eavesdropping.  Your network infrastructure starts
> phoning home using TLS and you'll have some nervous admins.  Some
> communication needs to be demonstrably open and transparent.

It is also possible to have TLS with no encryption, guaranteeing 
message integrity but not confidentiality.

> 
> On the topic of OCSP, there's an existing issue relating to
> concentration of risk.  If you can break cert validation on millions of sites just by DDoSing a couple OCSP servers, then that will become a
> bigger problem as TLS gets rolled out.
> 
> The requirements to be able to issue certificates will need to be
> strengthened to enforce bullet-proof validation infrastructure.  We
> already have issues with access to OCSP servers for validation.
> 
> Adrien

Social Web Architect
http://bblfish.net/
Received on Thursday, 29 March 2012 06:13:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT