W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2018

Origin Signed Responses and certificate requirements

From: Yoav Weiss <yoav@yoav.ws>
Date: Mon, 09 Apr 2018 11:54:26 +0000
Message-ID: <CACj=BEixyCmBOZf1pp3UkF5+a490B+Ow3y6hfZQkT5LULP4e2w@mail.gmail.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Cc: Jeffrey Yasskin <jyasskin@chromium.org>
Hey all,

While reviewing the Origin Signed Responses draft, I noticed that the
certificate
requirements
<https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#cross-origin-cert-req>
section
requires the signing certificate to have a specific opt-in to response
signing while also prohibiting such certs from serving TLS connections.

>From a deployment perspective, the second requirement means that an entity
which wants to sign packages as well as terminate TLS connections would
have to maintain multiple certs for each domain, which will significantly
increase complexity.

I'm wondering regarding the reasoning behind that second requirement. Why
can't certs which opt-in to signing packages also be able to serve TLS?
What are the risks involved?

Thanks,
Yoav
Received on Monday, 9 April 2018 11:55:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:20 UTC