[13846] in cryptography@c2.net mail archive
Re: Announcing httpsy://, a YURL scheme
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Jul 15 08:49:34 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 15 Jul 2003 11:52:00 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Ed Gerck <egerck@nma.com>
Cc: Tyler Close <tyler@waterken.com>, cryptography@metzdowd.com
In-Reply-To: <3F12F71B.579C1A0D@nma.com>
Ed Gerck wrote:
>>From your URLs:
>
> "The browser verifies that the fingerprint in the URL matches the public key provided by the visited site. Certificates and Certificate Authorities are unnecessary. "
>
> Spoofing? Man-in-the-middle? Revocation?
>
> Also, in general, we find that one reference is not enough to induce trust. Self-references
> cannot induce trust, either (Trust me!). Thus, it is misleading to let the introducer
> determine the message target, in what you call the "y-property". Spoofing and
> MITM become quite easy to do if you trust an introducer to tell you where to go.
What is a CA other than an introducer?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
