[13847] in cryptography@c2.net mail archive
Re: Announcing httpsy://, a YURL scheme
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Jul 15 08:50:11 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 15 Jul 2003 11:54:35 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Ed Gerck <egerck@nma.com>
Cc: Tyler Close <tyler@waterken.com>, cryptography@metzdowd.com
In-Reply-To: <3F12F71B.579C1A0D@nma.com>
Ed Gerck wrote:
>>From your URLs:
>
> "The browser verifies that the fingerprint in the URL matches the public key provided by the visited site. Certificates and Certificate Authorities are unnecessary. "
>
> Spoofing? Man-in-the-middle? Revocation?
>
> Also, in general, we find that one reference is not enough to induce trust. Self-references
> cannot induce trust, either (Trust me!). Thus, it is misleading to let the introducer
> determine the message target, in what you call the "y-property". Spoofing and
> MITM become quite easy to do if you trust an introducer to tell you where to go.
BTW, tell me how you do spoofing and MITM if you aren't the trusted
introducer (if you are, clearly there's no need to spoof or MITM,
because you can just give the target of your choice)?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
