- From: David Dahl <ddahl@mozilla.com>
- Date: Thu, 2 Jun 2011 08:57:37 -0700 (PDT)
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: public-web-security@w3.org, Nico Williams <nico@cryptonector.com>
Someone else also asked me about TLS key extraction, I will have to add that to my list of research to do. Can you point me to any further reading? Cheers, David ----- Original Message ----- From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> To: "Nico Williams" <nico@cryptonector.com> Cc: "David Dahl" <ddahl@mozilla.com>, public-web-security@w3.org Sent: Thursday, June 2, 2011 10:01:21 AM Subject: Re: Request for feedback: DOMCrypt API proposal On 02/06/11 15:41, Nico Williams wrote: > If people were to rely on TLS key extraction then we might as well > kiss mutual authentication goodbye, Two things. First, I don't see that that follows and even if it did it still would not necessarily be convincing. My idea in pushing key extraction is to avoid loads of developers re-inventing the TLS handshake (badly) at the application layer. Secondly, mutual auth is a different (in practice) hard problem that's also well worth trying to address. > but mutual authentication and > channel binding had plenty of support at the workshop (though they are > not mentioned in the report). If there's interest in that too, that's great, but these things should not be seen as competing IMO. S.
Received on Thursday, 2 June 2011 15:58:05 UTC