Announcing httpsy://, a YURL scheme

Ed Gerck egerck at nma.com
Mon Jul 14 14:31:55 EDT 2003


>From your URLs:

"The browser verifies that the fingerprint in the URL matches the public key provided by the visited site. Certificates and Certificate Authorities are unnecessary. "

Spoofing? Man-in-the-middle? Revocation?

Also, in general, we find that one reference is not enough to induce trust. Self-references
cannot induce trust, either (Trust me!). Thus, it is misleading to let the introducer
determine the message target, in what you call the "y-property". Spoofing and
MITM become quite easy to do if you trust an introducer to tell you where to go.

Not that I believe CAs are essential (I don't, for reasons already presented in '97),
but unless the issues of spoofing, MITM and revocation are adequately handled
according to a threat model that is useful, communication cannot be considered
secure.

Cheers,
Ed Gerck


Tyler Close wrote:

> Now available on the Waterken Inc. site is a specification and
> implementation for a new HTTP extension, HTTPSY.
> ...


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list