Announcing httpsy://, a YURL scheme
Ed Gerck
egerck at nma.com
Mon Jul 14 14:31:55 EDT 2003
>From your URLs:
"The browser verifies that the fingerprint in the URL matches the public key provided by the visited site. Certificates and Certificate Authorities are unnecessary. "
Spoofing? Man-in-the-middle? Revocation?
Also, in general, we find that one reference is not enough to induce trust. Self-references
cannot induce trust, either (Trust me!). Thus, it is misleading to let the introducer
determine the message target, in what you call the "y-property". Spoofing and
MITM become quite easy to do if you trust an introducer to tell you where to go.
Not that I believe CAs are essential (I don't, for reasons already presented in '97),
but unless the issues of spoofing, MITM and revocation are adequately handled
according to a threat model that is useful, communication cannot be considered
secure.
Cheers,
Ed Gerck
Tyler Close wrote:
> Now available on the Waterken Inc. site is a specification and
> implementation for a new HTTP extension, HTTPSY.
> ...
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list