W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: multiplexing -- don't do it

From: patrick mcmanus <pmcmanus@mozilla.com>
Date: Mon, 02 Apr 2012 19:21:35 -0400
Message-ID: <4F7A347F.2070805@mozilla.com>
To: ietf-http-wg@w3.org
On 4/2/2012 7:11 PM, Adrien W. de Croy wrote:
>
> So providing explicit support would make life a fair bit easier.  I'm 
> pretty sure everyone who wrote MITM was holding their nose at the time.

++yes, and we could probably also provide a mechanism for signing 
content e2e so the end user can still verify with the normal pki whether 
or not the integrity assertion of the resources match the host in the uris.

I'm as firm on TLS-everywhere as anyone, but I recognize in some 
situations the user will need to consent to a non e2e version. Informed 
consent with reasonable granularity (Will's mention that CONNECT or 
block-me is still appropriate for a subset of things) is critical here, 
as is the elimination of passive attacks. That is still a massive win 
for privacy. The framework for consent needs work, and things like wpad 
probably need a new looking over. Undeniably hard stuff.

We've got time for all of that if we're pointed in roughly the same 
direction.

-P
Received on Monday, 2 April 2012 23:22:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:59 GMT