W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: SPDY = HTTP/2.0 or not ?

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Mon, 26 Mar 2012 12:24:18 +0200
Message-ID: <4F7043D2.2060905@stpeter.im>
To: "Adrien W. de Croy" <adrien@qbik.com>
CC: Mike Belshe <mike@belshe.com>, "Roy T. Fielding" <fielding@gbiv.com>, patrick mcmanus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/26/12 12:15 PM, Adrien W. de Croy wrote:
> 
> ------ Original Message ------ From: "Peter Saint-Andre"
> <stpeter@stpeter.im>
>> On 3/26/12 11:22 AM, Adrien W. de Croy wrote:
>> 
>>> 
>>> ------ Original Message ------ From: "Peter Saint-Andre"
>>> 
>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> From a practical point of view, there aren't a lot of 
>>>>>>> alternatives to SSL on the table right now.  Most
>>>>>>> people do agree that SSL does a reasonable job of
>>>>>>> preventing eavesdropping.
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> I can see a lot of resistance from customers told they
>>>>>> now need to buy and maintain a certificate from a CA just
>>>>>> to run a webserver.
>>>>>> 
>>>>>> Sure they can run a self-signed cert, but that doesn't
>>>>>> fulfil the goal of giving the user security.
>>>>>> 
>>>>>> 
>>> 
>>> Could we cut the FUD about needing to pay for certs? There are 
>>> indeed providers of free certificates (I won't mention names
>>> for fear of being tarred with a marketing brush).
>>> 
>>> 
>>> 
>>>> 
>>>> providers of free certs who
>>>> 
>>>> 
>>>> a) verify the identity of the entity they issue the
>>>> certificate to b) have a root cert that's sufficiently well
>>>> deployed and trusted to be usable
>>>> 
>>>> 
>>>> ?  I'd be keen to know more.
>>>> 
>>>> 
>>>> if not a (which is incompatible with free) then is it really 
>>>> security?
>>>> 
>> 
>> 
>> You can check the cert at the URL in my sig.
>> 
> 
> Ok thanks.
> 
> In the end though, even if the certificate itself isn't charged
> for, there's still a cost involved in obtaining and installing it.
> 
> Generating a signing request etc, importing the certificate and
> managing the private key.
> 
> These add a significant requirement to many HTTP server deployment 
> scenarios, not the least in terms of level of knowledge of the
> person doing it.

It might seem easier and cheaper for me if I don't have to install a
lock on the door to my house, fumble for the keys when I get home at
night, etc. But actually it's easier and cheaper for me if random
people can't walk into my house. There ain't no such thing as free
security.

(Oh, and these messages are all as individual, not area director.)

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9wQ9IACgkQNL8k5A2w/vzFEACg0Vdrvmi/FoEMChWJImhgUlK1
v4kAoOLgclSi2ky4gMUBxJidUPAfXi0F
=cF8V
-----END PGP SIGNATURE-----
Received on Monday, 26 March 2012 10:24:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT