W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Request for feedback: DOMCrypt API proposal

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 02 Jun 2011 17:06:45 +0100
Message-ID: <4DE7B515.7080608@cs.tcd.ie>
To: David Dahl <ddahl@mozilla.com>
CC: public-web-security@w3.org, Nico Williams <nico@cryptonector.com>
I guess the RFC [1] - those are supposed to be good enough
for implementers:-)

If its not enough, feel free to ping me and I can try find
someone who's written code.

S.

[1] http://tools.ietf.org/html//rfc5705

On 02/06/11 16:57, David Dahl wrote:
> Someone else also asked me about TLS key extraction, I will have to add that to my list of research to do. Can you point me to any further reading?
> 
> Cheers,
> 
> David
> 
> ----- Original Message -----
> From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
> To: "Nico Williams" <nico@cryptonector.com>
> Cc: "David Dahl" <ddahl@mozilla.com>, public-web-security@w3.org
> Sent: Thursday, June 2, 2011 10:01:21 AM
> Subject: Re: Request for feedback: DOMCrypt API proposal
> 
> 
> 
> On 02/06/11 15:41, Nico Williams wrote:
>> If people were to rely on TLS key extraction then we might as well
>> kiss mutual authentication goodbye, 
> 
> Two things. First, I don't see that that follows and even if
> it did it still would not necessarily be convincing. My idea
> in pushing key extraction is to avoid loads of developers
> re-inventing the TLS handshake (badly) at the application
> layer. Secondly, mutual auth is a different (in practice)
> hard problem that's also well worth trying to address.
> 
>> but mutual authentication and
>> channel binding had plenty of support at the workshop (though they are
>> not mentioned in the report).
> 
> If there's interest in that too, that's great, but these
> things should not be seen as competing IMO.
> 
> S.
> 
> 
Received on Thursday, 2 June 2011 16:07:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 2 June 2011 16:07:11 GMT