Re: PRISM and HTTP/2.0
Nico Williams <nico@cryptonector.com> Tue, 16 July 2013 17:30 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F78B21F991E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 10:30:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.948
X-Spam-Level:
X-Spam-Status: No, score=-5.948 tagged_above=-999 required=5 tests=[AWL=3.729, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m3Fz4D12uXyd for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 16 Jul 2013 10:30:42 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BD66021F84BB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 16 Jul 2013 10:30:42 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Uz94M-0000NY-DC for ietf-http-wg-dist@listhub.w3.org; Tue, 16 Jul 2013 17:29:46 +0000
Resent-Date: Tue, 16 Jul 2013 17:29:46 +0000
Resent-Message-Id: <E1Uz94M-0000NY-DC@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uz94E-0000Mk-Bb for ietf-http-wg@listhub.w3.org; Tue, 16 Jul 2013 17:29:38 +0000
Received: from mailbigip.dreamhost.com ([208.97.132.5] helo=homiemail-a65.g.dreamhost.com) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1Uz94D-00084H-8w for ietf-http-wg@w3.org; Tue, 16 Jul 2013 17:29:38 +0000
Received: from homiemail-a65.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a65.g.dreamhost.com (Postfix) with ESMTP id 0B3507E406F for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 10:29:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=rYZtwlbrF5tEAceSHCxmdqQdFfE=; b=NFnETeP/QNw Dg8GR1HebaRA0BtPWjYsxEAzz/ohNScVnMp3cBmd5DBnDup8H2RGO0T2fOUevxdx hu3QVh25FyqQ/URbHc5nF6SvDbJYUlNaBpmIWLaV+lwO+ewqnq9SqPidWNCwpP+B KcmSmfFOkPvNwjnmtVeCo4Z1zVdzzEJ4=
Received: from mail-we0-f179.google.com (mail-we0-f179.google.com [74.125.82.179]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a65.g.dreamhost.com (Postfix) with ESMTPSA id A5A6C7E405D for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 10:29:15 -0700 (PDT)
Received: by mail-we0-f179.google.com with SMTP id w59so867116wes.24 for <ietf-http-wg@w3.org>; Tue, 16 Jul 2013 10:29:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=QLB4ej84iXH8hvfnZf2Flv3rkPs64mQy6A4hgErEXKo=; b=mQFGsOjn8JqIO88E5caNwJTMZWxk42G+1I/CVww1kurpYIlWAFd72oagNQkXXGHTVu TER33N3g6ZCfh6VDbEGoTenNeVqSw9ebQ76MASFn94J/SpPoRXkpK7MTgYbLyjx+6vYq gu+0UniUBfqvG2ybNW8gL4EUiyF2qcBDuEr5m+ZhCNv3dbhPtUVJxoIi6zUK7To9rts6 Q5m48vap6m0/UhVqB5e+v8MX+eedZiQzUvvDvZCY8Pas3VRqnO0eDkfxGLnVm11ClQCP I8+BmAMT+RQoSNnSglZaLVR18rtWnjW2eZj4WByVi4tg6m8BEG3TswKAN8UEYI+adeAr JmQg==
MIME-Version: 1.0
X-Received: by 10.195.13.202 with SMTP id fa10mr813041wjd.14.1373995754271; Tue, 16 Jul 2013 10:29:14 -0700 (PDT)
Received: by 10.217.38.138 with HTTP; Tue, 16 Jul 2013 10:29:14 -0700 (PDT)
In-Reply-To: <CALvhUEVxnJcvfc13PsEZW_8S4ZsLiZb1+h_f-M2W96jv_b0EBQ@mail.gmail.com>
References: <5672.1373710085@critter.freebsd.dk> <51E1D7AF.20708@jrn.me.uk> <CALvhUEW87qGoCYAPY_DW37bs4P=maD0iWFk6tWc-ZVN15KUWtg@mail.gmail.com> <51E53A7D.4090306@treenet.co.nz> <CALvhUEVxnJcvfc13PsEZW_8S4ZsLiZb1+h_f-M2W96jv_b0EBQ@mail.gmail.com>
Date: Tue, 16 Jul 2013 12:29:14 -0500
Message-ID: <CAK3OfOj6i2e4Lz7jruy49XugKzpv-Ckn4GiVE6M6EvFVVMk2bg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Reto Bachmann-Gmür <reto@gmuer.ch>
Cc: Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: none client-ip=208.97.132.5; envelope-from=nico@cryptonector.com; helo=homiemail-a65.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-3.449, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1Uz94D-00084H-8w 4e8ff25dc709ea23d1caca1a2ae7418e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: PRISM and HTTP/2.0
Archived-At: <http://www.w3.org/mid/CAK3OfOj6i2e4Lz7jruy49XugKzpv-Ckn4GiVE6M6EvFVVMk2bg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18814
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Tue, Jul 16, 2013 at 11:28 AM, Reto Bachmann-Gmür <reto@gmuer.ch> wrote: > On Tue, Jul 16, 2013 at 2:20 PM, Amos Jeffries <squid3@treenet.co.nz> wrote: >> On 16/07/2013 4:19 a.m., Reto Bachmann-Gmür wrote: >> I can't think how. > > Abusing the userinfo subcomponent a URI could look like this > > https://WanYixZKajPyjw2llf@example.org/foo > > If the public key presented by the server does not match the digest > WanYixZKajPyjw2llf the client would present a warning. > >> The MITM can as easily change that public key to its own >> one and use the original itself as the client could use it in the first >> place. > > No. The MITM might be able to provide a duly signed certificate for > example.org but it would much harder to create one which matches the > digest present in the referring URIs. This doesn't allow for key/cert rollover.
- PRISM and HTTP/2.0 Poul-Henning Kamp
- Re: PRISM and HTTP/2.0 Stephen Farrell
- Re: PRISM and HTTP/2.0 Mike Belshe
- Re: PRISM and HTTP/2.0 J Ross Nicoll
- Re: PRISM and HTTP/2.0 Roberto Peon
- Re: PRISM and HTTP/2.0 Nicolas Mailhot
- Re: PRISM and HTTP/2.0 Mark Nottingham
- Re: PRISM and HTTP/2.0 Poul-Henning Kamp
- Re: PRISM and HTTP/2.0 Reto Bachmann-Gmür
- Re: PRISM and HTTP/2.0 Nico Williams
- Re: PRISM and HTTP/2.0 Amos Jeffries
- Re: PRISM and HTTP/2.0 Reto Bachmann-Gmür
- Re: PRISM and HTTP/2.0 Nico Williams
- Re: PRISM and HTTP/2.0 Reto Bachmann-Gmür