[cap-talk] What is the implementation status of yurls?
Tyler Close
tyler.close at gmail.com
Fri Mar 4 20:50:53 PST 2011
On Fri, Mar 4, 2011 at 4:40 PM, James A. Donald <jamesd at echeque.com> wrote:
>>> (b) when i tried
>>> https://sha-256-hl6w2x74ixy6pi5n.yurl.net:4445/-/tutbucks/#s=ashzre7yp5wauo
>
> sha-256-hl6w2x74ixy6pi5n.yurl.net looks like a yurl
>
> Now if yurls were really implemented, then when the browser attempted to
> access
> httpy://sha-256-hl6w2x74ixy6pi5n.somedomain, what would happen is that
> it would get the network address, and upon contacting the domain,
> receive a public key and a rule endorsing that public key, whose sha-256
> has was hl6w2x74ixy6pi5n, and from this information, together with the
> information in its request, construct a shared secret,
> used to encrypt subsequent communications.
>
> This would have the considerable advantage that since no intermediate
> trusted authorities are involved, the user would not see complicated
> mystery error messages and would not be trained to click through those
> mystery error messages, nor would the authorities be able to mim
> websites by suborning one of innumerable certificate authorities that no
> one has ever heard of.
>
> That this looks like yurl implies that something is implemented, though
> I suspect considerably less than a full yurl implementation. What is
> actually implemented and working today?
The Waterken server implements full YURL semantics and so for
distributed apps composed of Waterken servers talking to each other
you have the security properties described above. Much of the work
MarcS and Alan have been doing involves Waterken servers talking to
each other, so it works out for them.
The longstanding gap in the system is compatibility with the Web
browser. A Web browser will initially pop an annoying dialog when
navigating to a YURL. Even after clicking through the dialog to accept
the certificate, the browser still allows the site to be impersonated
by a certificate from a recognized CA. None of the browsers make it
easy to fix this problem, so it'll require someone sitting down for a
few weeks to crank out the needed code. Somehow, I've always had other
things higher up on the TODO list.
--Tyler
--
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
More information about the cap-talk
mailing list