Is cryptography where security took the wrong branch?

Ben Laurie ben at algroup.co.uk
Mon Sep 8 08:53:20 EDT 2003


Eric Rescorla wrote:

> Ben Laurie <ben at algroup.co.uk> writes:
> 
> 
>>Eric Rescorla wrote:
>>
>>>Incidentally, when designing SHTTP we envisioned that credit
>>>transactions would be done with signatures. I would say that
>>>the Netscape guys were right in believing that confidentiality
>>>for the CC number was good enough.
>>
>>I don't think so. One of the things I'm running into increasingly with
>>HTTPS is that you can't do an end-to-end check on a cert. That is, if I
>>have some guy logging into some site using a client cert, and that site
>>then makes a back-end connection to another site, there's no way it can
>>prove to the back-end site that it has the real guy online (without
>>playing nasty tricks with the guts of SSL, anyway), and there's
>>certainly no way to prove that some particular response came from him.
>>Signing stuff would deal with this trivially.
> 
> 
> Well, I'd certainly like to believe that this is true, since
> it would mean that Allan and I were right all along. :)

You _were_ right all along. At least about this :-)

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list