- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 02 Jun 2011 17:06:45 +0100
- To: David Dahl <ddahl@mozilla.com>
- CC: public-web-security@w3.org, Nico Williams <nico@cryptonector.com>
I guess the RFC [1] - those are supposed to be good enough for implementers:-) If its not enough, feel free to ping me and I can try find someone who's written code. S. [1] http://tools.ietf.org/html//rfc5705 On 02/06/11 16:57, David Dahl wrote: > Someone else also asked me about TLS key extraction, I will have to add that to my list of research to do. Can you point me to any further reading? > > Cheers, > > David > > ----- Original Message ----- > From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> > To: "Nico Williams" <nico@cryptonector.com> > Cc: "David Dahl" <ddahl@mozilla.com>, public-web-security@w3.org > Sent: Thursday, June 2, 2011 10:01:21 AM > Subject: Re: Request for feedback: DOMCrypt API proposal > > > > On 02/06/11 15:41, Nico Williams wrote: >> If people were to rely on TLS key extraction then we might as well >> kiss mutual authentication goodbye, > > Two things. First, I don't see that that follows and even if > it did it still would not necessarily be convincing. My idea > in pushing key extraction is to avoid loads of developers > re-inventing the TLS handshake (badly) at the application > layer. Secondly, mutual auth is a different (in practice) > hard problem that's also well worth trying to address. > >> but mutual authentication and >> channel binding had plenty of support at the workshop (though they are >> not mentioned in the report). > > If there's interest in that too, that's great, but these > things should not be seen as competing IMO. > > S. > >
Received on Thursday, 2 June 2011 16:07:11 UTC