W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: SPDY = HTTP/2.0 or not ?

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 26 Mar 2012 12:41:55 +0200
Cc: "Adrien W. de Croy" <adrien@qbik.com>, Mike Belshe <mike@belshe.com>, "Roy T. Fielding" <fielding@gbiv.com>, patrick mcmanus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <03B1B659-5250-49C2-8D95-AF78188F1177@bblfish.net>
To: Peter Saint-Andre <stpeter@stpeter.im>

On 26 Mar 2012, at 12:24, Peter Saint-Andre wrote:

> On 3/26/12 12:15 PM, Adrien W. de Croy wrote:
> > 
> > ------ Original Message ------ From: "Peter Saint-Andre"
> > <stpeter@stpeter.im>
> >> On 3/26/12 11:22 AM, Adrien W. de Croy wrote:
> >> 
> >>> 
> >>> ------ Original Message ------ From: "Peter Saint-Andre"
> >>> 
> >>> 
> >>>>>>> 
> >>>>>>> 
> >>>>>>> From a practical point of view, there aren't a lot of 
> >>>>>>> alternatives to SSL on the table right now.  Most
> >>>>>>> people do agree that SSL does a reasonable job of
> >>>>>>> preventing eavesdropping.
> >>>>>>> 
> >>>>>>> 
> >>>>>> 
> >>>>>> 
> >>>>>> I can see a lot of resistance from customers told they
> >>>>>> now need to buy and maintain a certificate from a CA just
> >>>>>> to run a webserver.
> >>>>>> 
> >>>>>> Sure they can run a self-signed cert, but that doesn't
> >>>>>> fulfil the goal of giving the user security.
> >>>>>> 
> >>>>>> 
> >>> 
> >>> Could we cut the FUD about needing to pay for certs? There are 
> >>> indeed providers of free certificates (I won't mention names
> >>> for fear of being tarred with a marketing brush).
> >>> 
> >>> 
> >>> 
> >>>> 
> >>>> providers of free certs who
> >>>> 
> >>>> 
> >>>> a) verify the identity of the entity they issue the
> >>>> certificate to b) have a root cert that's sufficiently well
> >>>> deployed and trusted to be usable
> >>>> 
> >>>> 
> >>>> ?  I'd be keen to know more.
> >>>> 
> >>>> 
> >>>> if not a (which is incompatible with free) then is it really 
> >>>> security?
> >>>> 
> >> 
> >> 
> >> You can check the cert at the URL in my sig.
> >> 
> > 
> > Ok thanks.
> > 
> > In the end though, even if the certificate itself isn't charged
> > for, there's still a cost involved in obtaining and installing it.
> > 
> > Generating a signing request etc, importing the certificate and
> > managing the private key.
> > 
> > These add a significant requirement to many HTTP server deployment 
> > scenarios, not the least in terms of level of knowledge of the
> > person doing it.
> 
> It might seem easier and cheaper for me if I don't have to install a
> lock on the door to my house, fumble for the keys when I get home at
> night, etc. But actually it's easier and cheaper for me if random
> people can't walk into my house. There ain't no such thing as free
> security.

Especially on the internet where we are all neighbours...
Adding security (even weak one) would provide an exponential boost to security
on the internet. Currently nearly every web page can be hijacked with a man in the
middle attack that changes URLs to point to different servers. 

Having said that to cater for use cases where security is not an issue, yet
to make sure that the groups working on SPDY to do not forget security, I think
having SSL be opt out that is a good idea. It satisfies both use cases, but
helps make sure the groups communicate more closely than they would otherwise do.

btw, I am in switzerland in an identy conference a few days this week, and will
be in Paris towards the end of the week again. It would be nice to meet up.

Henry

> 
> (Oh, and these messages are all as individual, not area director.)
> 
> Peter
> 
> - -- 
> Peter Saint-Andre
> https://stpeter.im/
> 
> 

Social Web Architect
http://bblfish.net/
Received on Monday, 26 March 2012 10:42:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT