On 3/24/23 09:39, Hans Petter Selasky wrote:
On 3/24/23 04:31, Jan Schaumann wrote:
Hans Petter Selasky <h...@selasky.org> wrote:
As a proposal in general, entertainment content providers, do not
require
the same level of confidence, that the data really comes from the
server as
the security certificate indicates, which other content providers
like banks
require.
It sounds to me like this approach makes inappropriate
assumptions about end-users' threat models and allows
a class of malleability attacks which could range
from simple data corruption to - conceivably, under
the right circumstances - arbitrary code execution.
To me, transport _security_ does indeed require all
three of confidentiality, integrity, and
authenticity.
TLS gives confidentiality.
The IP checksum gives integrity.
The authenticity part is not needed in my case.
A typical video stream of 4 MBit/s may produce on average 333 packets
per second, and I ask a simple question if it is really needed to
authenticate all of those packets while the user sits in a chair and
eats popcorn?
OK
I see where you guys are falling off.
Professionals already encrypt the video files served using
(confidentiality, integrity and authenticity).
These files are also served using HTTP, unencrypted, but then people can
easily compare the contents to figure out what is being watched, even if
encrypted.
The transport layer TCP/IP/TLS does not need the authenticity part in
this case, because the files served are already fully encrypted, if that
makes sense.
I mean, when encryption is recursive, then the outer layers don't need
authenticity?
Maybe this makes it more clear?
--HPS
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
