Hans Petter Selasky wrote:
> As a proposal in general, entertainment content providers, do not require
> the same level of confidence, that the data really comes from the server as
> the security certificate indicates, which other content providers like banks
> require.
It sounds to me like this approach makes inappropriate
assumptions about end-users' threat models and allows
a class of malleability attacks which could range
from simple data corruption to - conceivably, under
the right circumstances - arbitrary code execution.
To me, transport _security_ does indeed require all
three of confidentiality, integrity, and
authenticity.
-Jan
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls