Ben Laurie <[EMAIL PROTECTED]> writes:

> Eric Rescorla wrote:
> > Incidentally, when designing SHTTP we envisioned that credit
> > transactions would be done with signatures. I would say that
> > the Netscape guys were right in believing that confidentiality
> > for the CC number was good enough.
> 
> I don't think so. One of the things I'm running into increasingly with
> HTTPS is that you can't do an end-to-end check on a cert. That is, if I
> have some guy logging into some site using a client cert, and that site
> then makes a back-end connection to another site, there's no way it can
> prove to the back-end site that it has the real guy online (without
> playing nasty tricks with the guts of SSL, anyway), and there's
> certainly no way to prove that some particular response came from him.
> Signing stuff would deal with this trivially.

Well, I'd certainly like to believe that this is true, since
it would mean that Allan and I were right all along. :)

-Ekr

-- 
[Eric Rescorla                                   [EMAIL PROTECTED]
                http://www.rtfm.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to