W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: #549: augmented security considerations in p1

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 02 Feb 2014 18:04:18 +0100
Message-ID: <52EE7A92.80608@gmx.de>
To: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2014-02-01 10:42, Roy T. Fielding wrote:
> On Jan 31, 2014, at 8:36 PM, Mark Nottingham wrote:
>
>>>   The "https" scheme (Section 2.7.2) is intended to prevent (or at
>>>   least reveal) many of these potential attacks on establishing
>>>   authority, assuming the negotiated TLS connection is secured in a way
>>>   that verifies the communicating server's identity matches the target
>>>   URI's authority component (see [RFC2818] and [Georgiev]).
>>
>> Given the state of the world, this seems like a huge assumption  can we at least acknowledge that here be dragons as well?
>
> Yep, the paper by Georgiev et al. is a catalog of dragons with real
> examples and suggestions.  I will split that into two sentences so
> that the reason to look at the paper is clear.
>
> ....Roy

Hi Roy,

I have re-read all of the Security Considerations and they look good to 
me. Thank you for doing this work!

Best regards, Julian
Received on Sunday, 2 February 2014 17:04:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC