W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re[2]: SPDY = HTTP/2.0 or not ?

From: Adrien W. de Croy <adrien@qbik.com>
Date: Mon, 26 Mar 2012 09:22:03 +0000
To: "Peter Saint-Andre" <stpeter@stpeter.im>
Cc: "Mike Belshe" <mike@belshe.com>, "Roy T. Fielding" <fielding@gbiv.com>, "patrick mcmanus" <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <em061c9ac1-3b31-4653-bc63-a26c85ec06ca@boist>

------ Original Message ------
From: "Peter Saint-Andre" <stpeter@stpeter.im>
To: "Adrien W. de Croy" <adrien@qbik.com>
Cc: "Mike Belshe" <mike@belshe.com>;"Roy T. Fielding" 
<fielding@gbiv.com>;"patrick mcmanus" 
<pmcmanus@mozilla.com>;"ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 26/03/2012 10:03:30 p.m.
Subject: Re: SPDY = HTTP/2.0 or not ?
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 3/26/12 10:56 AM, Adrien W. de Croy wrote:
>
>
>>>
>>>From a practical point of view, there aren't a lot of
>>>alternatives to SSL on the table right now.  Most people do agree
>>>that SSL does a reasonable job of preventing eavesdropping.
>>>
>>
>>
>>I can see a lot of resistance from customers told they now need to
>>buy and maintain a certificate from a CA just to run a webserver.
>>
>>Sure they can run a self-signed cert, but that doesn't fulfil the
>>goal of giving the user security.
>>
>
>
>Could we cut the FUD about needing to pay for certs? There are indeed
>providers of free certificates (I won't mention names for fear of
>being tarred with a marketing brush).
>
  
providers of free certs who
  
a) verify the identity of the entity they issue the certificate to
b) have a root cert that's sufficiently well deployed and trusted to be 
usable
  
?  I'd be keen to know more.
  
if not a (which is incompatible with free) then is it really security?
>
>
>And SSL/TLS is not *necessarily* tied to PKI, either.
>
  
OK.  so no private key?  Just some shared secret then?
  
  
>From memory it's fairly painful to get SSL working in a web server.  Do 
we really wish to inflict that pain mandatorily on every web server 
operator?
>
>
>Peter
>
>- --
>Peter Saint-Andre
>https://stpeter.im/
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.8 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iEYEARECAAYFAk9wMOIACgkQNL8k5A2w/vzHhwCglS0mTAc8vmtaTELnJXtsiDXt
>GwYAnjO/WlyYE+PCs1SgPVB+19Aav0y6
>=cS8p
>-----END PGP SIGNATURE-----
>
>
>
Received on Monday, 26 March 2012 09:22:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT