W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Mon, 07 Dec 2015 12:34:37 +0000
To: Stefan Eissing <stefan.eissing@greenbytes.de>
cc: Cory Benfield <cory@lukasa.co.uk>, Jacob Appelbaum <jacob@appelbaum.net>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
Message-ID: <66173.1449491677@critter.freebsd.dk>
In message <814951E1-DB77-4C6E-A144-FCEE17D73DD8@greenbytes.de>, Stefan Eissing writes:
>> Am 07.12.2015 um 13:13 schrieb Poul-Henning Kamp <phk@phk.freebsd.dk>:
>> --------
>> In message <AD5923A5-875D-4A3B-AFFF-26CE042934FC@lukasa.co.uk>, Cory =
>Benfield writes:
>> [...]
>> For instance I could open a HTTPS to a newspaper, and one of the
>> things I get back is the instruction:  "When you pick up our stuff
>> from the 3rd party CDN, the content must be signed with this key".
>> That could put integrity around an awfull lot of content which
>> simply doesn't need TLS because it is 100% public, with the
>> huge added benefit that the CDN's do need access to keys.
>You mean, do *not* need access to keys, right?=20

Correct, sorry for the typo.

>As the origin would put the signature together with the content at the 
>CDN, or?

Yes, basically the CDN gets the content with signature from origin
and doesn't even need to know what the signature means.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 7 December 2015 12:35:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC