On 26/03/2012 11:21, Mike Belshe wrote: >> >> The choice of crypto or no crypto is for the HTTP-service provider to >> decide, it is not for us to decide on their behalf. >> >> > Nobody ever said we'd take away an unsecure path. I just don't want it > to be the default. Make security opt-out rather than opt-in. > > How much global legislation about liability for accidentally leaked > information do you need before you'll believe that we have a > responsibility here? My interpretation of many of the arguments was that there should be no insecure option. I'd be happy to see a secure by default protocol with an option to force it to plain-text (or similar). I suspect if the protocol was secure-only, people would either not adopt it (and stick to HTTP 1.1) or would create their own variants with security disabled (likely resulting in multiple slightly incompatible protocols). I would consider either of these outcomes worse than letting people shoot themselves in the foot with a protocol that tries to outline the risks to them. RossReceived on Monday, 26 March 2012 12:05:29 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT