On 3/24/23 04:31, Jan Schaumann wrote:
Hans Petter Selasky <h...@selasky.org> wrote:
As a proposal in general, entertainment content providers, do not require
the same level of confidence, that the data really comes from the server as
the security certificate indicates, which other content providers like banks
require.
It sounds to me like this approach makes inappropriate
assumptions about end-users' threat models and allows
a class of malleability attacks which could range
from simple data corruption to - conceivably, under
the right circumstances - arbitrary code execution.
To me, transport _security_ does indeed require all
three of confidentiality, integrity, and
authenticity.
TLS gives confidentiality.
The IP checksum gives integrity.
The authenticity part is not needed in my case.
A typical video stream of 4 MBit/s may produce on average 333 packets
per second, and I ask a simple question if it is really needed to
authenticate all of those packets while the user sits in a chair and
eats popcorn?
--HPS
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
