> Having said that I was quite suprised that a new method was suggested. > It IMHO mainly adds bloat.
It proves authoritative access over the server. Changing the certificate requires modifying the server configuration. SimpleHTTP/S is vulnerable to attackers who have filesystem access (PHP script etc) but don't necessarily have authoritative permission over the server process itself. DVSNI also doesn't require an HTTP server to perform the challenge. On Wed, Mar 25, 2015 at 3:36 PM, Joseph Lorenzo Hall <[email protected]> wrote: > Cool, thanks for clarifying, all. > > On Wed, Mar 25, 2015 at 5:25 PM, Salz, Rich <[email protected]> wrote: > > > >> This seems like a big deal, no? That is, since SNI is one of the few > things not > >> protected in the TLS handshake, it does seem spoofable. If there's not > >> something I'm missing, it seems like the proposal should just drop DVSNI > >> altogether. > > > > The SNI is protected (part of the message final MAC's) but it is not > encrypted. > > > > > > -- > Joseph Lorenzo Hall > Chief Technologist > Center for Democracy & Technology > 1634 I ST NW STE 1100 > Washington DC 20006-4011 > (p) 202-407-8825 > (f) 202-637-0968 > [email protected] > PGP: https://josephhall.org/gpg-key > fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
