Hannes Tschofenig wrote: > Just a minor note on this paragraph: > >> because HTTPS currently depends on X.509 keys, other >>> groups in the IETF world are already working to make HTTPS proof against >>> on-path surveillance. (google for "perfect forward secrecy" to learn >>> more), and others are working to defend the internet user population >>> against wildcard or targeted SSL certificates issued by governments and >>> other anti-secrecy agents with on-path capabilities. > > TLS has this ciphersuite concept and allows you to more than just X.509 > certificates. As such, you have more freedom than you think (if you know > what you want).
you are right of course. we would use TLS PSK for this, avoiding the X.509 system entirely. vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
