[Openid-specs-risc] Do you have a need for SET delivery to non-HTTPS endpoints?
Atul Tulshibagwale
atultulshi at google.com
Thu Jun 11 16:09:01 UTC 2020
Thanks Mike, for bringing this to our attention.
My feeling is that in general SETs may be transported over insecure
channels as long as they are secured to the extent required (signed,
encrypted or both). However, in SET-push and SET-poll I don't see that
situation arising. In both cases, a server-authenticated TLS transport can
be reasonably expected.
Atul
On Tue, Jun 9, 2020 at 12:50 PM Mike Jones via Openid-specs-risc <
openid-specs-risc at lists.openid.net> wrote:
> There’s a discussion in the IETF SecEvent working group at present about
> whether to restrict SET delivery using the draft-ietf-secevent-http-push
> <https://tools.ietf.org/html/draft-ietf-secevent-http-push-11> and
> draft-ietf-secevent-http-poll
> <https://tools.ietf.org/html/draft-ietf-secevent-http-poll-10> specs to
> only allow delivery over HTTPS (TLS) connections. At present, it’s unclear
> whether pure HTTP is also allowed. The specs do say that if SETs are
> delivered over a channel that doesn’t provide integrity protection, that
> they must be signed and/or encrypted to provide this protection.
>
>
>
> The discussion is happening in the thread “Re: [Id-event] Genart last call
> review of draft-ietf-secevent-http-poll-09”. Given that this working group
> is using the SET delivery specs, I wanted to bring this choice that will be
> made soon to your attention.
>
>
>
> -- Mike
>
>
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-risc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200611/3519817e/attachment.html>
More information about the Openid-specs-risc
mailing list