W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re[2]: SPDY = HTTP/2.0 or not ?

From: Adrien W. de Croy <adrien@qbik.com>
Date: Mon, 26 Mar 2012 10:15:12 +0000
To: "Peter Saint-Andre" <stpeter@stpeter.im>
Cc: "Mike Belshe" <mike@belshe.com>, "Roy T. Fielding" <fielding@gbiv.com>, "patrick mcmanus" <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <emb750f05b-e5c7-4cb5-8be6-6718344b0784@boist>

------ Original Message ------
From: "Peter Saint-Andre" <stpeter@stpeter.im>
>On 3/26/12 11:22 AM, Adrien W. de Croy wrote:
>
>>
>>------ Original Message ------ From: "Peter Saint-Andre"
>>
>>
>>>>>>
>>>>>>
>>>>>>From a practical point of view, there aren't a lot of
>>>>>>alternatives to SSL on the table right now.  Most people do
>>>>>>agree that SSL does a reasonable job of preventing
>>>>>>eavesdropping.
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>I can see a lot of resistance from customers told they now
>>>>>need to buy and maintain a certificate from a CA just to run
>>>>>a webserver.
>>>>>
>>>>>Sure they can run a self-signed cert, but that doesn't fulfil
>>>>>the goal of giving the user security.
>>>>>
>>>>>
>>
>>Could we cut the FUD about needing to pay for certs? There are
>>indeed providers of free certificates (I won't mention names for
>>fear of being tarred with a marketing brush).
>>
>>
>>
>>>
>>>providers of free certs who
>>>
>>>
>>>a) verify the identity of the entity they issue the certificate
>>>to b) have a root cert that's sufficiently well deployed and
>>>trusted to be usable
>>>
>>>
>>>?  I'd be keen to know more.
>>>
>>>
>>>if not a (which is incompatible with free) then is it really
>>>security?
>>>
>
>
>You can check the cert at the URL in my sig.
>
  
Ok thanks.
  
In the end though, even if the certificate itself isn't charged for, 
there's still a cost involved in obtaining and installing it.
  
Generating a signing request etc, importing the certificate and 
managing the private key.
  
These add a significant requirement to many HTTP server deployment 
scenarios, not the least in terms of level of knowledge of the person 
doing it.
  
>>
>>And SSL/TLS is not *necessarily* tied to PKI, either.
>>
>>
>>
>>>
>>>OK.  so no private key?  Just some shared secret then?
>>>
>
>
>See for example the DANE WG:
>
>http://tools.ietf.org/html/draft-ietf-dane-protocol
>
  
thanks again!  

Adrien
>
>
>Peter
>
>- --
>Peter Saint-Andre
>https://stpeter.im/
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.8 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iEYEARECAAYFAk9wPSwACgkQNL8k5A2w/vwUXwCgkMGTKxKbRqiK8mBJi9izlkzi
>djQAoLXQzTsvRCVRq1CJTqpfiVQRUoHM
>=LE6/
>-----END PGP SIGNATURE-----
>
>
>
Received on Monday, 26 March 2012 10:15:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT