Re: PRISM and HTTP/2.0

On 16/07/2013 4:19 a.m., Reto Bachmann-Gmür wrote:
> On Sun, Jul 14, 2013 at 12:41 AM, J Ross Nicoll wrote:
>> Bogus certificates and server-side backdoors seem inevitable, at least in
>> the current political climate. I don't think any realistic changes at the
>> transport layer will affect that (unrealistic changes would include "move to
>> a web of trust").
> Not sure if it would be within the possibilities of this WG to define
> an optional public key hash in HTTP URIs. If a link contains such a
> hash of the public key of the target this would protect against
> attacks from a root-certificate holding man in the middle.

I can't think how. The MITM can as easily change that public key to its 
own one and use the original itself as the client could use it in the 
first place. Security 101 - never send the vital key data over a suspect 
channel which relys on that key for protection.

The whole of this thread is beyond WG charter IMHO. Let us stop circling 
the drain on it.

Amos

Received on Tuesday, 16 July 2013 12:20:48 UTC