- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 13 Jul 2012 19:53:35 +0200
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Phillip Hallam-Baker <hallam@gmail.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Fri, Jul 13, 2012 at 05:37:23PM +0000, Poul-Henning Kamp wrote: > In message <CAMm+Lwgr1cnM3-iz_quKhN9N_dS1d6qdv26kSvKZ+T_Hr9L+hw@mail.gmail.com> > , Phillip Hallam-Baker writes: > > >5a) The TLS-HTTP gap > > > >Now as far as HTTP is concerned, headers have security implications > >and so HTTP is not going to be acceptably secure without either > >transport layer or packet layer security. > > I disagree. > > What HTTP lacks is a clear distinction between "envelope" and "body" > the way SMTP and NNTP have it. > > HTTP/2.0 would enable a lot more sites to run with cryptographic > security, if there were an unprotected envelope for load-balancers > to act on. > > I also think it should be possible to mix protected and unprotected > requests on the same TCP session. +1 on all these points ! Also, in some environments, the need for clear-text but signed exchanges is common in order to avoid tampering and to ensure transported data is safe. As amazing as it may seem, I first noticed this requirement in banking environments. There are places like this where most of the transported data has no direct user information but needs to be easy to control and process. In all these situations, dealing with a clear-text envelope is by far the best solution. Willy
Received on Friday, 13 July 2012 17:54:02 UTC