W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-02.txt

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Mon, 16 Dec 2013 18:02:46 +0000
Message-ID: <52AF4046.8050305@cs.tcd.ie>
To: Martin Thomson <martin.thomson@gmail.com>, Yoav Nir <synp71@live.com>
CC: Christian Huitema <huitema@huitema.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>


On 12/16/2013 05:43 PM, Martin Thomson wrote:
> On 16 December 2013 04:02, Yoav Nir <synp71@live.com> wrote:
>> But how can you get an authentic redirect, if hotmail.com does not have a
>> CA-issued certificate? And if it does, why not use that rather than a
>> self-signed certificate?
> 
> That was somewhat the point of the comment I think.  If you are going
> to avoid getting a good certificate, then you also avoid all the
> advantages, like resilience against active attacks like that.
> 
> A self-signed certificate does allow for things that are TOFU-like,
> but not perfectly.  Things like CT help too.  

But afaik CT doesn't help with self-signed or equivalent TOFU
things as it relies on the CAs to avoid the log being spammed.
If there were a way to let web sites use CT for self-signed
certs, that'd be interesting but I thought that the CT folks
didn't like that idea.

S.

> Obviously,
> http://hotmail.com should have a certificate that is signed by a CA
> and HSTS turned on.  (Sadly, in reality, it has the former; instead of
> the latter, it provides a P3P header :( )  Those things cost.
> 
> As an aside, I really would like people to recognize the non-monetary
> costs here, which are far more relevant.



> 
> 
> 
Received on Monday, 16 December 2013 18:03:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC