- From: Reto Bachmann-Gmür <reto@gmuer.ch>
- Date: Mon, 15 Jul 2013 18:19:23 +0200
- To: J Ross Nicoll <jrn@jrn.me.uk>
- Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, HTTP Working Group <ietf-http-wg@w3.org>
On Sun, Jul 14, 2013 at 12:41 AM, J Ross Nicoll <jrn@jrn.me.uk> wrote: > Bogus certificates and server-side backdoors seem inevitable, at least in > the current political climate. I don't think any realistic changes at the > transport layer will affect that (unrealistic changes would include "move to > a web of trust"). Not sure if it would be within the possibilities of this WG to define an optional public key hash in HTTP URIs. If a link contains such a hash of the public key of the target this would protect against attacks from a root-certificate holding man in the middle. It wouldn't be a full move to a web of trust nor a replacement of the uri-scheme as with the httpsy proposal just an optional additional security that works alongside as well as without the PKI provided trust. Cheers, Reto
Received on Monday, 15 July 2013 16:19:48 UTC