Re: secure HTTPS redirect - encoding a new trust anchor?


On 12/08/15 17:56, Kent Watsen wrote:
> I think your question regards the general applicability of this idea by
> web browsers, where having the web browser dynamically learn a new trust
> anchor certificate, even if over a trusted connection, can lead to misuse.
>  Is that right?   - that is, is your concern is for generic use more so
> than the specific use of zerotouch bootstrapping?

Sort of. I'm concerned with generic *ab*use (well also with specific

The example you gave would appear to allow to arrange
that the HTTP client ends up talking to but thinking
it is talking to I'd say that's a pretty dangerous
implement esp given the 1000's of perhaps not very highly experienced
and universally trusted widget vendors in the universe.


Received on Wednesday, 12 August 2015 20:32:53 UTC