Re: SPDY = HTTP/2.0 or not ? from Peter Saint-Andre on 2012-03-26 (ietf-http-wg@w3.org from January to March 2012)

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Mon, 26 Mar 2012 11:55:56 +0200
To: "Adrien W. de Croy" <adrien@qbik.com>
CC: Mike Belshe <mike@belshe.com>, "Roy T. Fielding" <fielding@gbiv.com>, patrick mcmanus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <4F703D2C.6090903@stpeter.im>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/26/12 11:22 AM, Adrien W. de Croy wrote:
> 
> ------ Original Message ------ From: "Peter Saint-Andre"
> <stpeter@stpeter.im> To: "Adrien W. de Croy" <adrien@qbik.com> Cc:
> "Mike Belshe" <mike@belshe.com>;"Roy T. Fielding" 
> <fielding@gbiv.com>;"patrick mcmanus" 
> <pmcmanus@mozilla.com>;"ietf-http-wg@w3.org" <ietf-http-wg@w3.org> 
> Sent: 26/03/2012 10:03:30 p.m. Subject: Re: SPDY = HTTP/2.0 or not
> ? On 3/26/12 10:56 AM, Adrien W. de Croy wrote:
> 
> 
>>>>> 
>>>>> From a practical point of view, there aren't a lot of 
>>>>> alternatives to SSL on the table right now.  Most people do
>>>>> agree that SSL does a reasonable job of preventing
>>>>> eavesdropping.
>>>>> 
>>>> 
>>>> 
>>>> I can see a lot of resistance from customers told they now
>>>> need to buy and maintain a certificate from a CA just to run
>>>> a webserver.
>>>> 
>>>> Sure they can run a self-signed cert, but that doesn't fulfil
>>>> the goal of giving the user security.
>>>> 
> 
> 
> Could we cut the FUD about needing to pay for certs? There are
> indeed providers of free certificates (I won't mention names for
> fear of being tarred with a marketing brush).
> 
> 
>> providers of free certs who
> 
>> a) verify the identity of the entity they issue the certificate
>> to b) have a root cert that's sufficiently well deployed and
>> trusted to be usable
> 
>> ?  I'd be keen to know more.
> 
>> if not a (which is incompatible with free) then is it really
>> security?

You can check the cert at the URL in my sig.

> And SSL/TLS is not *necessarily* tied to PKI, either.
> 
> 
>> OK.  so no private key?  Just some shared secret then?

See for example the DANE WG:

http://tools.ietf.org/html/draft-ietf-dane-protocol

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9wPSwACgkQNL8k5A2w/vwUXwCgkMGTKxKbRqiK8mBJi9izlkzi
djQAoLXQzTsvRCVRq1CJTqpfiVQRUoHM
=LE6/
-----END PGP SIGNATURE-----

Received on Monday, 26 March 2012 09:56:32 UTC