Notes From Draft 10
Josh Hoyt
josh at janrain.com
Mon Oct 16 22:37:33 UTC 2006
On 10/16/06, Hans Granqvist <hgranqvist at verisign.com> wrote:
> What's the security benefit of forcing the protocol to use a
> specific order?
I don't know of any security benefit of using a specific order. I'm
pretty certain that this proposal came about to make the spec easier
to read and implement.
> The signed list has an inherent order that can change should attacks
> come to light in the future. Why remove that possibility?
If there are attacks in the future, won't the spec have to change to
at least mention what not to do in order to avoid the vulnerability?
If so, does specifying a particular order make it much worse?
I don't feel very strongly about this proposal, and people clearly
have reservations about it, so I'll let David take it from here.
Josh
More information about the specs
mailing list