- From: Tom Ritter <tom@ritter.vg>
- Date: Sun, 11 Dec 2011 18:37:10 -0500
- To: public-identity@w3.org
So thinking about 5705, I'm wondering how useful it is after all. TLS key extraction via 5705 would enable, as an example, a web application that encrypts something, sends it up via TLS, and the web application decrypts it for processing locally. It'd be encrypted inside of TLS encryption, which I think really only gives an advantage if the TLS session is negotiated using Diffe Hellman. Otherwise someone with access to the private key could decrypt both the TLS stream and the 5705-encrypted data. And that generalizes from an encrypted blob to anything. 5705 seems to decay to TLS unless DH is in play. (Is that accurate? If not, then 2/3 of my critism is void.) 5705 would also require exposing the methods server-side, up through the library (OpenSSL/SChannel/GNUTLS) and through the web server & language package (mod_php/mod_python/wsgi/etc). That's a lot of moving parts. I'm not opposed to it but it seems like a lot of work for not a lot of gain. > The last one there also sounds reasonable. Not sure I get what > "operate on" might mean for the 2nd last one. > I'd like some details on the precise parameters to be exposed. I'm going to expand on those bullet points in a seperate mail in the Use Cases thread. -tom
Received on Monday, 12 December 2011 12:32:05 UTC