W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: PRISM and HTTP/2.0

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 16 Jul 2013 12:29:14 -0500
Message-ID: <CAK3OfOj6i2e4Lz7jruy49XugKzpv-Ckn4GiVE6M6EvFVVMk2bg@mail.gmail.com>
To: Reto Bachmann-Gmür <reto@gmuer.ch>
Cc: Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Jul 16, 2013 at 11:28 AM, Reto Bachmann-Gmür <reto@gmuer.ch> wrote:
> On Tue, Jul 16, 2013 at 2:20 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>> On 16/07/2013 4:19 a.m., Reto Bachmann-Gmür wrote:
>> I can't think how.
>
> Abusing the userinfo subcomponent a  URI could look like this
>
> https://WanYixZKajPyjw2llf@example.org/foo
>
> If the public key presented by the server does not match the digest
> WanYixZKajPyjw2llf the client would present a warning.
>
>> The MITM can as easily change that public key to its own
>> one and use the original itself as the client could use it in the first
>> place.
>
> No. The MITM might be able to provide a duly signed certificate for
> example.org but it would much harder to create one which matches the
> digest present in the referring URIs.

This doesn't allow for key/cert rollover.
Received on Tuesday, 16 July 2013 17:29:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC