Announcing httpsy://, a YURL scheme
Ed Gerck
egerck at nma.com
Mon Jul 14 20:43:39 EDT 2003
Tyler Close wrote:
> I have demonstrated the theory behind YURLs by providing an
> implementation, the Waterken Browser, and by explaining how two
> other widely used systems implement the theory. Please clarify
> your concerns by providing a detailed attack description for any
> one of these three implementations.
Tyler,
I did not see the issues of spoofing, MITM and revocation being
addressed at all. For these threats, however, the attack descriptions
are well-known and rather easy to carry out.
But there are other issues. Let me exemplify with PGP, which is
one of the models you cite. In PGP there is no entity responsible if
(or when) something goes wrong (not even the user). The use of
PGP in a commercial situation has been difficult and may not
adequately protect the business interests involved, which usually
need to be guaranteed in well-defined contracts with loss responsibilities
and fines. Furthermore, PGP does not scale so well in size (because of the
asynchronous maintenance difficulties of the web of trust) and time
(because of the same maintenance problems reflected in the so-called
certificate revocation certificates, a CRL for PGP certificates).
You may find the same issues with httpsy -- however, as in PGP, within
a circle of close friends (or within a company/organization) this may not
be important.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list