Announcing httpsy://, a YURL scheme

Ed Gerck egerck at
Mon Jul 14 18:45:16 EDT 2003

Tyler Close wrote:

> I have demonstrated the theory behind YURLs by providing an
> implementation, the Waterken Browser, and by explaining how two
> other widely used systems implement the theory. Please clarify
> your concerns by providing a detailed attack description for any
> one of these three implementations.


I did not see the issues of spoofing, MITM and revocation being
addressed at all. For these threats, however, the attack descriptions
are well-known and rather easy to carry out.

But there are other issues. Let me exemplify with PGP, which is
one of the models you cite. In PGP there is no entity responsible if
(or when) something goes wrong (not even the user). The use of
PGP in a commercial situation has been difficult and may not
adequately protect the business interests involved, which usually
need to be guaranteed in well-defined contracts with loss responsibilities
and fines. Furthermore, PGP does not scale so well in size (because of the
asynchronous maintenance difficulties of the web of trust) and time
(because of the same maintenance problems reflected in the so-called
certificate revocation certificates, a CRL for PGP certificates).

You may find the same issues with httpsy -- however, as in PGP, within
a circle of close friends (or within a company/organization) this may not
be important.

Ed Gerck

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list