- From: Adrien de Croy <adrien@qbik.com>
- Date: Mon, 07 Dec 2015 12:25:47 +0000
- To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>, "Cory Benfield" <cory@lukasa.co.uk>
- Cc: "Jacob Appelbaum" <jacob@appelbaum.net>, "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
um in TLS the Server cert message includes the server cert in ASN.1 format including the public key So I don't see this being any different. Or am I missing something? Adrien ------ Original Message ------ From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: "Cory Benfield" <cory@lukasa.co.uk> Cc: "Jacob Appelbaum" <jacob@appelbaum.net>; "Amos Jeffries" <squid3@treenet.co.nz>; "ietf-http-wg@w3.org" <ietf-http-wg@w3.org> Sent: 7/12/2015 11:53:55 p.m. Subject: Re: SSL/TLS everywhere fail >-------- >In message <51A9584D-0F29-484A-AAC5-75C46D35658F@lukasa.co.uk>, Cory >Benfield writes: > >>I ask these questions only because you used the word 'simple'. >>The header itself (as in, the bytes on the wire) may be simple, but >>the technological underpinnings of this approach are *not* simple, at >>least as far as I can see. The best we have right now is a current I-D >>that aims to address exactly this, >>draft-thomson-http-content-signature[0], and that draft suffers from >>the >>absurd flaw that the signing public key is transmitted in >>unauthenticated cleartext right alongside the signature itself. > >I am not sure I understand why you consider that an "absurd flaw" >and I have not been able to find any mail-discussion where such >a critique is raised. > >Can you summarize the argument ? > >-- >Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 >phk@FreeBSD.ORG | TCP/IP since RFC 956 >FreeBSD committer | BSD since 4.3-tahoe >Never attribute to malice what can adequately be explained by >incompetence. >
Received on Monday, 7 December 2015 12:26:28 UTC