On 12/7/2013 7:48 AM, Nicholas Weaver wrote:
So the idea of "authentication problem rather than a confidentiality
one" is a red herring: We have a solution that solves the
authentication problem for HTTP. Its called TLS. We MUST use it
everywhere, if only to protect US citizens from the French and
Chinese, and Russians, and Brazilians, and Israelis...
Except that it solves only a narrow case of authentication.
It's a hop-by-hop solution and mostly authenticates the server, rather
than the data the server is feeding the client. For the data the server
truly is creating, that's probably ok. For data it's merely relaying,
on behalf of the actual author, it's probably not.
So while, yes, authenticating the content is more hassle, it's also more
meaningful.
And therefore, contrary to Richard's assessment, I think the question of
widely-used content-based authentication mechanisms is relevant,
specifically because it demonstrates the viability of actual, end-to-end
identification, rather than hop-by-hop (and therefore
within-relay-exposed) channel-based approaches. The question then is
not what mechanisms exist, but what mechanisms are actually in
widespread use.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
