- From: Daniel Stenberg <daniel@haxx.se>
- Date: Mon, 4 Jan 2010 00:26:41 +0100 (CET)
- To: public-web-security@w3.org
- cc: Yutaka OIWA <y.oiwa@aist.go.jp>
On Thu, 24 Dec 2009, Yutaka OIWA wrote:
> Our proposed draft spec is available from
> <http://tools.ietf.org/html/draft-oiwa-http-mutualauth-05>.
In general I think this seems like a good idea (even though I've not yet
studied the details).
What did struck me at once when reading the introduction was the phrase:
Users can safely input sensitive data to the web forms after confirming
that the mutual authentication has succeeded.
... but you only authenticated fine, there's no protection against
eves-droppers in these scheme! A user would only be "safe" to "input sensitive
data" if the connection is also protected in some other means which is beyond
the scope of this protocol but still I think the way that is written is
slightly misleading.
--
/ daniel.haxx.se
Received on Sunday, 3 January 2010 23:27:19 UTC