W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: The TLS hammer and resource integrity

From: J Ross Nicoll <jrn@jrn.me.uk>
Date: Wed, 28 Mar 2012 09:48:25 +0100
Message-ID: <4F72D059.6040009@jrn.me.uk>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
CC: ietf-http-wg@w3.org
I'd like to add low-power use cases (e.g. sensor networks) to that, as 
well, where the overhead of TLS is a non-trivial issue both in CPU time 
and battery power.

I maintain that if we try forcing TLS in HTTP 2.0, many people will 
complain, and then fork their own versions of HTTP 2.0 without TLS. Best 
case scenario is a single sensible standard that models HTTP without 
TLS, more likely we'll end up with 2-3 subtly incompatible versions and 
a huge stack of workarounds to hold the mess together.

Ross

On 28/03/2012 08:21, Poul-Henning Kamp wrote:
> Everything, that is, except performance and choice. There is no way to 
> get around that mandatory TLS is overkill in many high-volume 
> applications, most notably p0rn. If you want to kill HTTP/1.1, you 
> have to make HTTP/2.0 a good idea for the 50% of web traffic 
> consisting of pink bits. Second, there are places where TLS is simply 
> not a good idea, either because other security measures are in place, 
> or because transparency is specifically called for (Think: Flight 
> Recorder). 
Received on Wednesday, 28 March 2012 08:48:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT