- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Thu, 13 Sep 2012 05:49:55 +0000
- To: Mark Nottingham <mnot@mnot.net>
- cc: Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
In message <53FE12F6-33BE-4731-8E20-72A79496EB80@mnot.net>, Mark Nottingham wri tes: >Should we state that the HTTPS URI scheme implies end-to-end security >(i.e., between the user-agent and the origin server)? Given the current hostile actions in the certificate-space, I think such a statement should be footnoted with something like: Please notice that "end" in this context merely means "where the SSL/TLS session terminates". Only proper handling and examination of the involved cryptographic keys can provide assurance that the other "end" is where it claims to be. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 13 September 2012 05:50:21 UTC