Announcing httpsy://, a YURL scheme

Ed Gerck egerck at
Tue Jul 15 17:15:50 EDT 2003

Tyler Close wrote:

> Please read the provided documentation.
> ...

This is what your documentation says about key revocation:

 "When using YURLs, sysadmins can shorten the lifetime of a
  certificate, change keys more frequently, and thus reduce
  their site's vulnerability to identity theft. Keys could even be
  changed at a frequency that would enable the site to forgo
  certificate revocation and Certificate Revocation Lists (CRLs).

Really? What prevents the attacker from having a rogue site
with the stolen key if there is nowhere to verify whether the
key is valid or not?

>From your other URLs, I also read:

 "A YURL MUST provide all the information required to
 authenticate the target site. Authentication of the target
 site MUST ONLY rely on information contained in the

The YURL is the single point of control and that is a problem,
not a solution. The YURL must also be recognized as a single
point of failure -- i.e., no matter how trustworthy that single point
of control is, it may fail or be compromised and there is no recourse
available because it is the single point of control.

Ed Gerck

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list