W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Fri, 15 Nov 2013 07:57:35 +0100
Message-ID: <b7dbd237e2a4b5198d2b2c2897201ae0.squirrel@arekh.dyndns.org>
To: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>
Cc: "Roberto Peon" <grmocg@gmail.com>, "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "Mark Nottingham" <mnot@mnot.net>, "Will Chan" <willchan@chromium.org>, "Julian Reschke" <julian.reschke@gmx.de>, "Tao Effect" <contact@taoeffect.com>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Zhong Yu" <zhong.j.yu@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>, "James M Snell" <jasnell@gmail.com>, "Michael Sweet" <msweet@apple.com>, "Nicholas Hurley" <hurley@todesschaf.org>, "Tim Bray" <tbray@textuality.com>, "Mike Belshe" <mike@belshe.com>, "Willy Tarreau" <w@1wt.eu>

Le Ven 15 novembre 2013 07:01, Nicolas Mailhot a écrit :
>
> Le Jeu 14 novembre 2013 21:57, Roberto Peon a écrit :
>> .. And?
>
> And egg meet chicken you need the protocol to make the connexion work, but
> you're building a protocol that requires this connexion before working

(unless of course I misunderstood and instead of using the physical link
to import a trusted cert in the device you want to use it to import
whatever's in the device in your browser cert store. Making any connected
device factory in China a giant CA able to inject any cert it wants in
millions of browsers. And I thought existing CA security was bad, do you
think the Chinese factory will even bother with a physical lock on its
mastering robots?)

-- 
Nicolas Mailhot
Received on Friday, 15 November 2013 06:58:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC