[14065] in cryptography@c2.net mail archive
Re: Is cryptography where security took the wrong branch?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sun Sep 7 18:06:30 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 07 Sep 2003 21:15:34 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: EKR <ekr@rtfm.com>
Cc: iang@systemics.com, crypto <cryptography@metzdowd.com>
In-Reply-To: <kjllt0zgxz.fsf@romeo.rtfm.com>
Eric Rescorla wrote:
> Incidentally, when designing SHTTP we envisioned that credit
> transactions would be done with signatures. I would say that
> the Netscape guys were right in believing that confidentiality
> for the CC number was good enough.
I don't think so. One of the things I'm running into increasingly with
HTTPS is that you can't do an end-to-end check on a cert. That is, if I
have some guy logging into some site using a client cert, and that site
then makes a back-end connection to another site, there's no way it can
prove to the back-end site that it has the real guy online (without
playing nasty tricks with the guts of SSL, anyway), and there's
certainly no way to prove that some particular response came from him.
Signing stuff would deal with this trivially.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
