[Argh. Sorry for the duplicate. I forgot to cc the list.] > Sad. Seems we've been around this May Pole way too many times already... You > have nothing new to say below, and my answers are also not new.
Richard's summary matches my understanding. > Agreed, sort of. This assumes fixes that do not exist. So "assuming a > canopener". It also assumes that less than perfect security is no security. The problem with pseudo security is that people might think it really is secure. If it's not (real) secure, I think we should make a lot of noise about using it. > Part of the rationale for NTS is that since the cookies change every request, > then the user can not be tracked. "noval" does not remove that feature, or > some other goodness. Why are you bringing up tracking? Is it related to security? To pinning? > Agreed, sort of. The "ca", which is an "assumed can opener", does not solve > many very similar cases. My plan is to implement the per-server "ca" as soon as I can. The API I want isn't available, but I think I see a reasonable way to implement it. That will solve the problem of self-certified certificates. How many of your "many very similar" cases are interesting? > Personally, I'd rather have DANE type pinning before "ca". And once "ca" is > implemented would like to do both. Are you trying to use DANE as a substitute for normal certificate checking or as a supplement? I don't fully understand DANE yet. A good example might help. Is there a HOWTO type web page telling me how to set things up? ... Is it widely deployed? Does my browser use it? -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel