W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Request for feedback: DOMCrypt API proposal

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 02 Jun 2011 16:01:21 +0100
Message-ID: <4DE7A5C1.8020204@cs.tcd.ie>
To: Nico Williams <nico@cryptonector.com>
CC: David Dahl <ddahl@mozilla.com>, public-web-security@w3.org

On 02/06/11 15:41, Nico Williams wrote:
> If people were to rely on TLS key extraction then we might as well
> kiss mutual authentication goodbye, 

Two things. First, I don't see that that follows and even if
it did it still would not necessarily be convincing. My idea
in pushing key extraction is to avoid loads of developers
re-inventing the TLS handshake (badly) at the application
layer. Secondly, mutual auth is a different (in practice)
hard problem that's also well worth trying to address.

> but mutual authentication and
> channel binding had plenty of support at the workshop (though they are
> not mentioned in the report).

If there's interest in that too, that's great, but these
things should not be seen as competing IMO.

Received on Thursday, 2 June 2011 15:01:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC