Re: [Captive-portals] The architecture requiring that the API be secure

[Michael Richardson <mcr@sandelman.ca>]

Kyle Larose <klarose@sandvine.com> wrote:
    > Issue #6 in the architecture draft
    > (https://github.com/capport-wg/architecture/issues/6) was raised to
    > point out that we should really mandate that the API be secure.

I entered some comments on the github issue.

    > Basically, we want to make TLS a requirement, not a suggestion, so I've
    > changed the wording around TLS to reflect this. I also added a section
    > to the security section discussing the motivation behind the
    > requirement.

I think that we have to deal with Martin's points about all the ways that the
certificate behind HTTPS can be broken.  I don't want to see overrides for
that certificate.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [