- From: patrick mcmanus <pmcmanus@mozilla.com>
- Date: Mon, 02 Apr 2012 19:21:35 -0400
- To: ietf-http-wg@w3.org
On 4/2/2012 7:11 PM, Adrien W. de Croy wrote: > > So providing explicit support would make life a fair bit easier. I'm > pretty sure everyone who wrote MITM was holding their nose at the time. ++yes, and we could probably also provide a mechanism for signing content e2e so the end user can still verify with the normal pki whether or not the integrity assertion of the resources match the host in the uris. I'm as firm on TLS-everywhere as anyone, but I recognize in some situations the user will need to consent to a non e2e version. Informed consent with reasonable granularity (Will's mention that CONNECT or block-me is still appropriate for a subset of things) is critical here, as is the elimination of passive attacks. That is still a massive win for privacy. The framework for consent needs work, and things like wpad probably need a new looking over. Undeniably hard stuff. We've got time for all of that if we're pointed in roughly the same direction. -P
Received on Monday, 2 April 2012 23:22:06 UTC