Re: SSL/TLS everywhere fail from Cory Benfield on 2015-12-07 (ietf-http-wg@w3.org from October to December 2015)

From: Cory Benfield <cory@lukasa.co.uk>
Date: Mon, 7 Dec 2015 12:27:46 +0000
To: Adrien de Croy <adrien@qbik.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Jacob Appelbaum <jacob@appelbaum.net>, Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <F359B3F7-A56B-4F32-94B1-285801DEB055@lukasa.co.uk>

> On 7 Dec 2015, at 12:25, Adrien de Croy <adrien@qbik.com> wrote:
> 
> 
> um
> 
> in TLS the Server cert message includes the server cert in ASN.1 format including the public key
> 
> So I don't see this being any different.  Or am I missing something?
> 
> Adrien
> 

The difference is that in TLS the certificate is *validated*: there is a process used for determining that the key in this certificate is acceptable to use for this data. The draft under discussion includes no such validation process.

Cory

Received on Monday, 7 December 2015 12:28:18 UTC