On 12/03/2015 4:22 p.m., Daniel Greenwald wrote: > Amos- Where can i get the per message pki authentication you describe.!? I saw it on a forum somewhere shortly after the Sony DRM/rootkit issue came out. It was a proposal for non-intrusive DRM in music/video streams with a custom client and server. Dismissed at the time due to DRM folks wanting the encryption even the client could not decrypt. I've not seen anything like it in public availability, but given that YT are now doing HTML5 video I suspect they or Netflix are the guys to ask there. Should be easy enough to code up one of your own though. The client agent had a public key for the server, generated keys get sent as password salted with something from the cert. The username was used for a client cert for the actual auth part same as in TLS. Both parts encrypted with the servers key to prevent MITM on the way. All the server has to do is decrypt the received cert+key, validate, then encrypt the response payload (optionally some headers about it a well) with the client provided key. If I was implementing it today I'd use DNS TLSA record to publish the server key(s) instead of embedding in the client, and list available/preferred ciphers etc in the username part instead of just a client cert. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
