RE: 2 questions from Xiaoyin Liu on 2015-03-30 (ietf-http-wg@w3.org from January to March 2015)

From: Xiaoyin Liu <xiaoyin.l@outlook.com>
Date: Mon, 30 Mar 2015 18:53:02 -0400
To: Adrien de Croy <adrien@qbik.com>, Dan Anderson <dan-anderson@cox.net>, Walter H. <walter.h@mathemainzel.info>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <BAY180-W60743EBD64C5B80ACCDFBAFFF50@phx.gbl>

From: adrien@qbik.com
To: dan-anderson@cox.net; Walter.H@mathemainzel.info
CC: ietf-http-wg@w3.org
Date: Mon, 30 Mar 2015 20:53:05 +0000
Subject: Re: 2 questions





 
 


>think of someone or company uses Internet for e-commerce; e.g. presenting his products is public for anybody; this doesn't need to be presented in TLS, 


Is this still a valid assumption?


I might not particularly, initially, care about confidentiality.  But I think I would still care about the integrity benefits (Am I talking to the site I think I am talking to?, is there a man in the middle?, etc.)
 
> so how do you get integrity benefits when there is a MitM?  Client certificates?  Good luck with that.
 Why are client certificates needed? Client certificates are for the servers to authenticate clients, but what Dan said was "am I talking to the site I think I am talking to". The assurance of integrity is provided by the normal TLS without client certs.
Best,Xiaoyin

Received on Monday, 30 March 2015 22:53:31 UTC