- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 17 Jul 2013 00:20:13 +1200
- To: ietf-http-wg@w3.org
On 16/07/2013 4:19 a.m., Reto Bachmann-Gmür wrote: > On Sun, Jul 14, 2013 at 12:41 AM, J Ross Nicoll wrote: >> Bogus certificates and server-side backdoors seem inevitable, at least in >> the current political climate. I don't think any realistic changes at the >> transport layer will affect that (unrealistic changes would include "move to >> a web of trust"). > Not sure if it would be within the possibilities of this WG to define > an optional public key hash in HTTP URIs. If a link contains such a > hash of the public key of the target this would protect against > attacks from a root-certificate holding man in the middle. I can't think how. The MITM can as easily change that public key to its own one and use the original itself as the client could use it in the first place. Security 101 - never send the vital key data over a suspect channel which relys on that key for protection. The whole of this thread is beyond WG charter IMHO. Let us stop circling the drain on it. Amos
Received on Tuesday, 16 July 2013 12:20:48 UTC