On Sun, Jun 7, 2020 at 8:21 PM Erik Kline wrote:
> I think there are two separate things here.
>
> [1] The use of HTTPS allows the client to authenticate the API and
> interactive URLs the same way a browser would be confident it's
> talking to amazon.com, for example.
>
> I think in this sense,
Hi Tommy,
You will probably need to do more than just dropping this
specific sentence, because the text just before this sentence talks
about the client authenticating the server and allowing the user to be
confident of the server and its identity.
Regards,
Rifaat
On Tue, Jun 2, 2020 at 1:33
Hi Rifaat,
Your comments make it clear that the recommendation to make the API server name
visible isn’t necessarily clear. I think it’s not a harmful thing to show, as a
way to give troubleshooting information and transparency to the user, but it is
not a security-critical point.
It seems
On Sun, May 31, 2020 at 2:07 AM Erik Kline wrote:
> On Wed, May 20, 2020 at 4:37 AM Rifaat Shekh-Yusef
> wrote:
> >
> > Adding SecDir back to this thread.
> >
> >
> > >Martin Thomson Tue, 19 May 2020 01:02 UTCShow
> header
> > >
> > >On Tue, May 19, 2020, at 07:08, Rifaat Shekh-Yusef wrote:
>
Adding SecDir back to this thread.
>Martin Thomson Tue, 19 May 2020 01:02 UTCShow header
>
>On Tue, May 19, 2020, at 07:08, Rifaat Shekh-Yusef wrote:
>>it provides the client of the API
>>an opportunity to authenticate the server that is hosting the API.
>>This authentication is
On Tue, May 19, 2020, at 07:08, Rifaat Shekh-Yusef wrote:
>it provides the client of the API
>an opportunity to authenticate the server that is hosting the API.
>This authentication is aimed at *allowing a user to be reasonably
>confident that the entity providing the Captive
Adding Ben.
On Sun, May 17, 2020 at 9:26 PM Martin Thomson wrote:
> Adding more lists.
>
> On Sun, May 17, 2020, at 02:50, Rifaat Shekh-Yusef wrote:
> > > Here is a quote form the API document:
> > > "The hostname of the API SHOULD be displayed to the user in order to
> indicate the entity
Adding more lists.
On Sun, May 17, 2020, at 02:50, Rifaat Shekh-Yusef wrote:
> > Here is a quote form the API document:
> > "The hostname of the API SHOULD be displayed to the user in order to
> > indicate the entity which is providing the API service."
> >
> > This seems to suggest that the
Perhaps a reference to https://tools.ietf.org/html/rfc3756 as well as the
security considerations sections of 2131, 4861, 4862, and 8415.
I'm capturing notes in https://github.com/capport-wg/7710bis/issues/30 .
On Sun, 3 May 2020 at 17:09, Martin Thomson wrote:
> I think that the standard
I think that the standard assumption is that we can equate the ability to send
a DHCP response or a RA with control of the network (or at least those aspects
of the network upon which clients rely on DHCP/RA for). I don't know if that
assumption is written down in a place we could cite it, but
Reviewer: Rifaat Shekh-Yusef
Review result: Has Issues
Since the use of IP address literal is not forbidden by this document, what if
an attacker with the ability to inject DHCP messages or RAs uses this option
to force the user to contact an IP address of his choosing? In this case, the
use
11 matches
Mail list logo