- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Fri, 15 Nov 2013 07:57:35 +0100
- To: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>
- Cc: "Roberto Peon" <grmocg@gmail.com>, "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "Mark Nottingham" <mnot@mnot.net>, "Will Chan" <willchan@chromium.org>, "Julian Reschke" <julian.reschke@gmx.de>, "Tao Effect" <contact@taoeffect.com>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Zhong Yu" <zhong.j.yu@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>, "James M Snell" <jasnell@gmail.com>, "Michael Sweet" <msweet@apple.com>, "Nicholas Hurley" <hurley@todesschaf.org>, "Tim Bray" <tbray@textuality.com>, "Mike Belshe" <mike@belshe.com>, "Willy Tarreau" <w@1wt.eu>
Le Ven 15 novembre 2013 07:01, Nicolas Mailhot a écrit : > > Le Jeu 14 novembre 2013 21:57, Roberto Peon a écrit : >> .. And? > > And egg meet chicken you need the protocol to make the connexion work, but > you're building a protocol that requires this connexion before working (unless of course I misunderstood and instead of using the physical link to import a trusted cert in the device you want to use it to import whatever's in the device in your browser cert store. Making any connected device factory in China a giant CA able to inject any cert it wants in millions of browsers. And I thought existing CA security was bad, do you think the Chinese factory will even bother with a physical lock on its mastering robots?) -- Nicolas Mailhot
Received on Friday, 15 November 2013 06:58:04 UTC