Origin Signed Responses and certificate requirements from Yoav Weiss on 2018-04-09 (ietf-http-wg@w3.org from April to June 2018)

From: Yoav Weiss <yoav@yoav.ws>
Date: Mon, 09 Apr 2018 11:54:26 +0000
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Cc: Jeffrey Yasskin <jyasskin@chromium.org>
Message-ID: <CACj=BEixyCmBOZf1pp3UkF5+a490B+Ow3y6hfZQkT5LULP4e2w@mail.gmail.com>

Hey all,

While reviewing the Origin Signed Responses draft, I noticed that the
certificate
requirements
<https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#cross-origin-cert-req>
section
requires the signing certificate to have a specific opt-in to response
signing while also prohibiting such certs from serving TLS connections.

>From a deployment perspective, the second requirement means that an entity
which wants to sign packages as well as terminate TLS connections would
have to maintain multiple certs for each domain, which will significantly
increase complexity.

I'm wondering regarding the reasoning behind that second requirement. Why
can't certs which opt-in to signing packages also be able to serve TLS?
What are the risks involved?

Thanks,
Yoav

Received on Monday, 9 April 2018 11:55:08 UTC