On 17/11/2013 22:25, Learmonth, Iain Ross wrote: >>> Also, to completely contradict that point, facebook with https enabled >>> still uses a CDN, so the theory that https prevents CDNs from working is >>> apparently wrong anyway. > >> I said "possibly" because I wasn't sure. Maybe somebody can explain > how it works and how the associated trust model works? > > The CDN has one TLS connection from the client to the CDN and another from > the CDN to the server, it sees everything in plaintext. A CA signs the CDNs > TLS server certificate so that it can still be accepted by browsers. > Depending on the CA, different verifications of ownership may be made. > > This does raise the issue that these CDNs, which may be managing many large > services, would be a great place to tap the wires. Maybe we should be > discouraging them?
Yep, that's my concern about the trust model (also after redaing Ted Lemon's response). All I know is that some site I have decided to trust has redirected me to content on a third-party site, which presents an apparently valid cert. I don't understand why I should trust that third-party site. Brian _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
