W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Thu, 13 Sep 2012 05:49:55 +0000
To: Mark Nottingham <mnot@mnot.net>
cc: Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <30443.1347515395@critter.freebsd.dk>
In message <53FE12F6-33BE-4731-8E20-72A79496EB80@mnot.net>, Mark Nottingham wri
tes:

>Should we state that the HTTPS URI scheme implies end-to-end security 
>(i.e., between the user-agent and the origin server)?

Given the current hostile actions in the certificate-space, I think such
a statement should be footnoted with something like:

	Please notice that "end" in this context merely means "where
	the SSL/TLS session terminates".  Only proper handling and
	examination of the involved cryptographic keys can provide
	assurance that the other "end" is where it claims to be.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 13 September 2012 05:50:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 05:50:27 GMT