W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Cory Benfield <cory@lukasa.co.uk>
Date: Mon, 7 Dec 2015 12:27:46 +0000
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Jacob Appelbaum <jacob@appelbaum.net>, Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <F359B3F7-A56B-4F32-94B1-285801DEB055@lukasa.co.uk>
To: Adrien de Croy <adrien@qbik.com>

> On 7 Dec 2015, at 12:25, Adrien de Croy <adrien@qbik.com> wrote:
> 
> 
> um
> 
> in TLS the Server cert message includes the server cert in ASN.1 format including the public key
> 
> So I don't see this being any different.  Or am I missing something?
> 
> Adrien
> 

The difference is that in TLS the certificate is *validated*: there is a process used for determining that the key in this certificate is acceptable to use for this data. The draft under discussion includes no such validation process.

Cory

Received on Monday, 7 December 2015 12:28:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC