W3C home > Mailing lists > Public > public-webpayments@w3.org > April 2013

Re: Web Keys and HTTP Signatures

From: Norbert Bollow <nb@bollow.ch>
Date: Thu, 18 Apr 2013 18:31:26 +0200
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Web Payments CG <public-webpayments@w3.org>
Message-ID: <20130418183126.7578b62f@quill.bollow.ch>
Manu Sporny <msporny@digitalbazaar.com> wrote:

> The attack is only possible if a message is passed over a non-secure
> channel, right? That is, the spec is clear about passing all messages
> over HTTPS. Granted, that's not an excuse for the approach taken and
> it should be fixed, but the attack is only possible if messages are
> sent over an insecure channel, correct?

Saying "use HTTPS!" does not assure having a channel that is secure in
every respect. Trustworthy security requires careful arguments based
on specific security properties.

Greetings,
Norbert 
Received on Friday, 19 April 2013 08:00:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:03:31 UTC