W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 07 Dec 2015 12:25:47 +0000
To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>, "Cory Benfield" <cory@lukasa.co.uk>
Cc: "Jacob Appelbaum" <jacob@appelbaum.net>, "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <emb8b1ff40-6ac4-45ce-8c29-9ccecba6dcd8@bodybag>


in TLS the Server cert message includes the server cert in ASN.1 format 
including the public key

So I don't see this being any different.  Or am I missing something?


------ Original Message ------
From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
To: "Cory Benfield" <cory@lukasa.co.uk>
Cc: "Jacob Appelbaum" <jacob@appelbaum.net>; "Amos Jeffries" 
<squid3@treenet.co.nz>; "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 7/12/2015 11:53:55 p.m.
Subject: Re: SSL/TLS everywhere fail

>In message <51A9584D-0F29-484A-AAC5-75C46D35658F@lukasa.co.uk>, Cory 
>Benfield writes:
>>I ask these questions only because you used the word 'simple'.
>>The header itself (as in, the bytes on the wire) may be simple, but
>>the technological underpinnings of this approach are *not* simple, at
>>least as far as I can see. The best we have right now is a current I-D
>>that aims to address exactly this,
>>draft-thomson-http-content-signature[0], and that draft suffers from 
>>absurd flaw that the signing public key is transmitted in
>>unauthenticated cleartext right alongside the signature itself.
>I am not sure I understand why you consider that an "absurd flaw"
>and I have not been able to find any mail-discussion where such
>a critique is raised.
>Can you summarize the argument ?
>Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
>phk@FreeBSD.ORG         | TCP/IP since RFC 956
>FreeBSD committer       | BSD since 4.3-tahoe
>Never attribute to malice what can adequately be explained by 
Received on Monday, 7 December 2015 12:26:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC