W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Mon, 07 Dec 2015 10:53:55 +0000
To: Cory Benfield <cory@lukasa.co.uk>
cc: Jacob Appelbaum <jacob@appelbaum.net>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
Message-ID: <68047.1449485635@critter.freebsd.dk>
In message <51A9584D-0F29-484A-AAC5-75C46D35658F@lukasa.co.uk>, Cory Benfield writes:

>I ask these questions only because you used the word 'simple'.
>The header itself (as in, the bytes on the wire) may be simple, but 
>the technological underpinnings of this approach are *not* simple, at 
>least as far as I can see. The best we have right now is a current I-D 
>that aims to address exactly this, 
>draft-thomson-http-content-signature[0], and that draft suffers from the 
>absurd flaw that the signing public key is transmitted in 
>unauthenticated cleartext right alongside the signature itself.

I am not sure I understand why you consider that an "absurd flaw"
and I have not been able to find any mail-discussion where such
a critique is raised.

Can you summarize the argument ?

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 7 December 2015 10:54:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC