Eric Rescorla wrote:

> Ben Laurie <[EMAIL PROTECTED]> writes:
>>Eric Rescorla wrote:
>>>Incidentally, when designing SHTTP we envisioned that credit
>>>transactions would be done with signatures. I would say that
>>>the Netscape guys were right in believing that confidentiality
>>>for the CC number was good enough.
>>I don't think so. One of the things I'm running into increasingly with
>>HTTPS is that you can't do an end-to-end check on a cert. That is, if I
>>have some guy logging into some site using a client cert, and that site
>>then makes a back-end connection to another site, there's no way it can
>>prove to the back-end site that it has the real guy online (without
>>playing nasty tricks with the guts of SSL, anyway), and there's
>>certainly no way to prove that some particular response came from him.
>>Signing stuff would deal with this trivially.
> Well, I'd certainly like to believe that this is true, since
> it would mean that Allan and I were right all along. :)

You _were_ right all along. At least about this :-)




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to