OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xri] Minutes: XRI TC Telecon 2-3PM PT Thursday 2009-12-17

Breno de Medeiros wrote on 2009-12-18:
> Yes, however, if the certificate used in the transport is different from
> one in signing, a MitM attacker in possession of the signing certificate
> would be able to successfully negotiate a TLS connection, so it's unclear
> me that a document signed this way is actually more susceptible to MitM
> attackers if not served over SSL.

Yes, I was just pointing out what would pop up as an issue if you completely
avoid mention of the transport. If there are risks you want to directly
address, or things you want to preclude, that's fine.

But any time you start writing rules about certificates having to be the
"same", you immediately introduce a slew of edge cases. The only ways to
avoid those problems are to compare the certificates byte for byte or the
keys byte for byte, and I would suggest one of those rather than leaving it
at "MUST be the same".

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]