Announcing httpsy://, a YURL scheme

Ben Laurie ben at algroup.co.uk
Tue Jul 15 06:54:35 EDT 2003


Ed Gerck wrote:

>>From your URLs:
> 
> "The browser verifies that the fingerprint in the URL matches the public key provided by the visited site. Certificates and Certificate Authorities are unnecessary. "
> 
> Spoofing? Man-in-the-middle? Revocation?
> 
> Also, in general, we find that one reference is not enough to induce trust. Self-references
> cannot induce trust, either (Trust me!). Thus, it is misleading to let the introducer
> determine the message target, in what you call the "y-property". Spoofing and
> MITM become quite easy to do if you trust an introducer to tell you where to go.

BTW, tell me how you do spoofing and MITM if you aren't the trusted
introducer (if you are, clearly there's no need to spoof or MITM,
because you can just give the target of your choice)?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list