- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 02 Feb 2014 18:04:18 +0100
- To: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2014-02-01 10:42, Roy T. Fielding wrote: > On Jan 31, 2014, at 8:36 PM, Mark Nottingham wrote: > >>> The "https" scheme (Section 2.7.2) is intended to prevent (or at >>> least reveal) many of these potential attacks on establishing >>> authority, assuming the negotiated TLS connection is secured in a way >>> that verifies the communicating server's identity matches the target >>> URI's authority component (see [RFC2818] and [Georgiev]). >> >> Given the state of the world, this seems like a huge assumption — can we at least acknowledge that here be dragons as well? > > Yep, the paper by Georgiev et al. is a catalog of dragons with real > examples and suggestions. I will split that into two sentences so > that the reason to look at the paper is clear. > > ....Roy Hi Roy, I have re-read all of the Security Considerations and they look good to me. Thank you for doing this work! Best regards, Julian
Received on Sunday, 2 February 2014 17:04:54 UTC