Hacker News new | ask | show | jobs
by csmpltn 1265 days ago
> "The use of TLS for QUIC does not imply or require the use of the Web PKI"

Handling certificate revocations (which would be needed to "ensure security"), does indeed imply the use of some way to check for the revocations in a timely manner. The revocation lists themselves can be tampered-with.
1 comments
tialaramex 1265 days ago
You've jumped from assuming the Web PKI, which isn't required, to assuming online revocation checks, which is even more not required.
link
csmpltn 1264 days ago
So how does your imaginary version of a transport-layer guarantee a message can't be tampered with if it trusts keys which are revoked?
link
ric2b 1261 days ago
Web PKI is not the only way to revoke keys.
link
csmpltn 1260 days ago
> "Web PKI is not the only way to revoke keys."

You're not answering my question (we both know why), and I never mentioned anything about WebPKI in any of my comments anyways.

link