[14082] in cryptography@c2.net mail archive
Re: Is cryptography where security took the wrong branch?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Mon Sep 8 13:21:47 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 08 Sep 2003 13:53:20 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: EKR <ekr@rtfm.com>
Cc: iang@systemics.com, crypto <cryptography@metzdowd.com>
In-Reply-To: <kjpticxpxg.fsf@romeo.rtfm.com>
Eric Rescorla wrote:
> Ben Laurie <ben@algroup.co.uk> writes:
>
>
>>Eric Rescorla wrote:
>>
>>>Incidentally, when designing SHTTP we envisioned that credit
>>>transactions would be done with signatures. I would say that
>>>the Netscape guys were right in believing that confidentiality
>>>for the CC number was good enough.
>>
>>I don't think so. One of the things I'm running into increasingly with
>>HTTPS is that you can't do an end-to-end check on a cert. That is, if I
>>have some guy logging into some site using a client cert, and that site
>>then makes a back-end connection to another site, there's no way it can
>>prove to the back-end site that it has the real guy online (without
>>playing nasty tricks with the guts of SSL, anyway), and there's
>>certainly no way to prove that some particular response came from him.
>>Signing stuff would deal with this trivially.
>
>
> Well, I'd certainly like to believe that this is true, since
> it would mean that Allan and I were right all along. :)
You _were_ right all along. At least about this :-)
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
