- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Mon, 07 Dec 2015 10:53:55 +0000
- To: Cory Benfield <cory@lukasa.co.uk>
- cc: Jacob Appelbaum <jacob@appelbaum.net>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
-------- In message <51A9584D-0F29-484A-AAC5-75C46D35658F@lukasa.co.uk>, Cory Benfield writes: >I ask these questions only because you used the word 'simple'. >The header itself (as in, the bytes on the wire) may be simple, but >the technological underpinnings of this approach are *not* simple, at >least as far as I can see. The best we have right now is a current I-D >that aims to address exactly this, >draft-thomson-http-content-signature[0], and that draft suffers from the >absurd flaw that the signing public key is transmitted in >unauthenticated cleartext right alongside the signature itself. I am not sure I understand why you consider that an "absurd flaw" and I have not been able to find any mail-discussion where such a critique is raised. Can you summarize the argument ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 7 December 2015 10:54:26 UTC