Eric Rescorla wrote: > Ben Laurie <[EMAIL PROTECTED]> writes: > > >>Eric Rescorla wrote: >> >>>Incidentally, when designing SHTTP we envisioned that credit >>>transactions would be done with signatures. I would say that >>>the Netscape guys were right in believing that confidentiality >>>for the CC number was good enough. >> >>I don't think so. One of the things I'm running into increasingly with >>HTTPS is that you can't do an end-to-end check on a cert. That is, if I >>have some guy logging into some site using a client cert, and that site >>then makes a back-end connection to another site, there's no way it can >>prove to the back-end site that it has the real guy online (without >>playing nasty tricks with the guts of SSL, anyway), and there's >>certainly no way to prove that some particular response came from him. >>Signing stuff would deal with this trivially. > > > Well, I'd certainly like to believe that this is true, since > it would mean that Allan and I were right all along. :)
You _were_ right all along. At least about this :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
