Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser for a different certificate
Marsh Ray <marsh@extendedsubset.com> Tue, 30 March 2010 14:51 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90B2D3A6BD4 for <tls@core3.amsl.com>; Tue, 30 Mar 2010 07:51:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.737
X-Spam-Level:
X-Spam-Status: No, score=0.737 tagged_above=-999 required=5 tests=[AWL=-0.394, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MRmV8MzNQUXt for <tls@core3.amsl.com>; Tue, 30 Mar 2010 07:51:37 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 1156D3A6BE5 for <tls@ietf.org>; Tue, 30 Mar 2010 07:50:07 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1Nwcm3-000AKQ-SI; Tue, 30 Mar 2010 14:50:35 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id B593C60B8; Tue, 30 Mar 2010 14:50:33 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/tidMqsErf3Zna3rlaZtOJZ38Y+W/+i0o=
Message-ID: <4BB20FBB.9000608@extendedsubset.com>
Date: Tue, 30 Mar 2010 09:50:35 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>
References: <4BAE396B.9090104@extendedsubset.com> <201003291745.o2THjKgr017986@fs4113.wdf.sap.corp> <6b9359641003291236t4e7bd0c6ycc5c5a435f38f3cf@mail.gmail.com> <4BB1077D.4030506@pobox.com><6b9359641003291622y4310e1f2p18301fde231701c8@mail.gmail.com> <4BB15250.6080306@extendedsubset.com> <201003301424.o2UEOiJv013761@stingray.missi.ncsc.mil>
In-Reply-To: <201003301424.o2UEOiJv013761@stingray.missi.ncsc.mil>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser for a different certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2010 14:51:38 -0000
On 3/30/2010 9:24 AM, Kemp, David P. wrote: > ADH is a pretty standard way of > reducing ID exposure from an infinite number of attackers down to 1 > active party It doesn't reduce it to one active party because Malloy can't know any better than Alice or Bob if one of his connections is itself being MITM'd. One could imagine amusing scenarios where AT&T and China bump into each other on the wire and begin to argue "hey, buddy, go get your own Facebook connection". http://mashable.com/2010/01/16/att-facebook-error/ https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html > and 0 passive parties. That's a fairly significant > reduction. Defeating passive eavesdropping is important, but it's sufficient in general. In the past, people were on shared Ethernet and would naturally be in a position to quietly observe every packet going by. For several common types of attacks today it's no harder to modify the packets than it is to observe them. Think of China and Pakistan DNS- and BGP-jacking YouTube for recent examples. - Marsh
- Re: [TLS] Asking the browser for a different cert… Story Henry
- [TLS] Asking the browser for a different certific… Story Henry
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Wan-Teh Chang
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Michael D'Errico
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Dale Gustafson
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Bruno Harbulot
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray