- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Wed, 12 Aug 2015 21:32:23 +0100
- To: Kent Watsen <kwatsen@juniper.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- CC: "Max Pritikin (pritikin)" <pritikin@cisco.com>
Hiya, On 12/08/15 17:56, Kent Watsen wrote: > I think your question regards the general applicability of this idea by > web browsers, where having the web browser dynamically learn a new trust > anchor certificate, even if over a trusted connection, can lead to misuse. > Is that right? - that is, is your concern is for generic use more so > than the specific use of zerotouch bootstrapping? Sort of. I'm concerned with generic *ab*use (well also with specific abuses:-) The example you gave would appear to allow widget-vendor.com to arrange that the HTTP client ends up talking to widget-vendor.com but thinking it is talking to my-os-update.com. I'd say that's a pretty dangerous implement esp given the 1000's of perhaps not very highly experienced and universally trusted widget vendors in the universe. Cheers, S.
Received on Wednesday, 12 August 2015 20:32:53 UTC