Announcing httpsy://, a YURL scheme

Tyler Close tyler at
Mon Jul 14 20:22:54 EDT 2003

On Monday 14 July 2003 20:04, Perry E. Metzger wrote:
> Tyler Close <tyler at> writes:
> > I have demonstrated the theory behind YURLs by providing an
> > implementation, the Waterken Browser, and by explaining how two
> > other widely used systems implement the theory.
> Having an implementation demonstrates nothing whatsoever about
> security -- many implemented systems are, after all, insecure.
> If you wish to demonstrate the security of your system, one would
> expect a detailed explanation of the threat model you're trying to
> address, and why those threats are thwarted by the design.

The security properties enforced by a YURL implementation are
clearly defined at:

If you doubt the value of this security model, I point out, as
empirical evidence only, that SSH and PGP use the same security

I asked Ed to provide an attack on the implementation because his
arguments lacked focus and clarity. For example, he referred to
MITM without specifying any details, such as what middle.  I was
hoping that by focusing on the implementation, his understanding
of the theoretical model would be improved.

Please read the provided documentation.  The YURL Definition
establishes the criteria and the HTTPSY specification explains how
those criteria are met. Several other documents explain why all of
this is important.


The union of REST and capability-based security:

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list