- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 11 Jul 2016 14:01:50 +1000
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 11 July 2016 at 11:23, Eric Rescorla <ekr@rtfm.com> wrote: > 1. It's not possible to force a counterparty to demonstrate that he still > has control of a given signing key. So, for instance, if you were a server > and wanted a user to demonstrate that he still had access to the key (like, > it's in a token and you're authorizing a high value transaction). Because > what he signs is the same every time, the counterparty can just replay the > previous assertion. I think that there is still room for restructuring how the assertions are made so that integrating a request identifier (which might be large and random) into the signature is a good idea. > 2. If you have two certificates with the same key pair, a signature for one > is a signature for both (for the same reason as #1). Yes, we should cover the certificate with the signature. It's relatively easy to do. And even if this isn't something that can be exploited, it keeps this design from diverging too much from TLS unnecessarily.
Received on Monday, 11 July 2016 04:02:19 UTC