Tyler Close wrote: > I have demonstrated the theory behind YURLs by providing an > implementation, the Waterken Browser, and by explaining how two > other widely used systems implement the theory. Please clarify > your concerns by providing a detailed attack description for any > one of these three implementations.
Tyler, I did not see the issues of spoofing, MITM and revocation being addressed at all. For these threats, however, the attack descriptions are well-known and rather easy to carry out. But there are other issues. Let me exemplify with PGP, which is one of the models you cite. In PGP there is no entity responsible if (or when) something goes wrong (not even the user). The use of PGP in a commercial situation has been difficult and may not adequately protect the business interests involved, which usually need to be guaranteed in well-defined contracts with loss responsibilities and fines. Furthermore, PGP does not scale so well in size (because of the asynchronous maintenance difficulties of the web of trust) and time (because of the same maintenance problems reflected in the so-called certificate revocation certificates, a CRL for PGP certificates). You may find the same issues with httpsy -- however, as in PGP, within a circle of close friends (or within a company/organization) this may not be important. Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
