[13831] in cryptography@c2.net mail archive
Re: Announcing httpsy://, a YURL scheme
daemon@ATHENA.MIT.EDU (Ed Gerck)
Mon Jul 14 14:42:42 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 14 Jul 2003 11:31:55 -0700
From: Ed Gerck <egerck@nma.com>
To: Tyler Close <tyler@waterken.com>
Cc: cryptography@metzdowd.com
>From your URLs:
"The browser verifies that the fingerprint in the URL matches the public key provided by the visited site. Certificates and Certificate Authorities are unnecessary. "
Spoofing? Man-in-the-middle? Revocation?
Also, in general, we find that one reference is not enough to induce trust. Self-references
cannot induce trust, either (Trust me!). Thus, it is misleading to let the introducer
determine the message target, in what you call the "y-property". Spoofing and
MITM become quite easy to do if you trust an introducer to tell you where to go.
Not that I believe CAs are essential (I don't, for reasons already presented in '97),
but unless the issues of spoofing, MITM and revocation are adequately handled
according to a threat model that is useful, communication cannot be considered
secure.
Cheers,
Ed Gerck
Tyler Close wrote:
> Now available on the Waterken Inc. site is a specification and
> implementation for a new HTTP extension, HTTPSY.
> ...
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
