W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Mandatory encryption prerequisites

From: Eliot Lear <lear@cisco.com>
Date: Wed, 18 Jul 2012 07:52:59 +0200
Message-ID: <50064F3B.70806@cisco.com>
To: Paul Hoffman <paul.hoffman@gmail.com>
CC: grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Paul,

I understand Mike's logic for using TLS.  I'm even sympathetic.  But
care must be taken, nevertheless not to make things worse.  That is in
fact possible if it means that everyone will get inured to browser
indications about validity of certificates.  Therefore, a prerequisite
is a means to do so that doesn't reduce the value of browser indications
of a secure or insecure connection.  DANE could play a role as could
non-CA based encryption, but we ought to have clear answers for that FIRST.

Eliot




On 7/18/12 2:51 AM, Paul Hoffman wrote:
> +1 to what seems to be a lot of developers: make TLS mandatory.
>
>>  so, even when used in an internal application protocol, it's going to
>>  be end to end
>>  encrypted to make it super hard to debug?
> In an internal application protocol, why would it be "super hard to
> debug"? The client can do an HTTP dump before TLS, the server can do
> an HTTP dump after TLS; either of the sides could debug the TLS.
>
>>  http is about more than users using
>>  web browsers.
> Completely true, and not relevant. Insecure HTTP for non-browser
> applications still has the same bad properties, no?
>
>
>
Received on Wednesday, 18 July 2012 05:53:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 05:53:33 GMT