- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Wed, 12 Aug 2015 16:59:15 +0100
- To: Kent Watsen <kwatsen@juniper.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Hi Kent, On 12/08/15 16:33, Kent Watsen wrote: > > Trusted > Internet-based Deployment-specific > Device Bootstrap Server Bootstrap Server > | | | > | | | > | HTTPS using factory | | > | default trust anchor | | > |------------------------->| | > | | | > | HTTP redirect, with | | > | deployment-specific | | > | trust anchor | | > |<-------------------------| | > | | | > | | > |HTTPS using learned trust anchor | > |----------------------------------------------->| > | | > > > > FWIW, this is considered secure, as the trust anchor is learned through a > trusted connection. Eh... considered secure by whom? I would not consider that "secure" if any widget-vendor from whom I purchase anything can then pretend to be any web site. Do you really mean trust-anchor here? Or perhaps you mean "some kind of special public key only to be used for the specific URL that is in this 30x response and only for 1 (really 1?) time"? And what if that URL is say bigbank.example.com? How is that to not work? I guess I'm a bit puzzled. S.
Received on Wednesday, 12 August 2015 15:59:47 UTC