W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Mandatory encryption

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Wed, 18 Jul 2012 09:41:57 -0400
Message-ID: <CAMm+LwgmNM6Emg6Fjbb2M5JcOEr4h5D+iiniBmO_JWrM+Z5Z1g@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: Mike Belshe <mike@belshe.com>, Willy Tarreau <w@1wt.eu>, Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Jul 18, 2012 at 9:06 AM, Patrick McManus <pmcmanus@mozilla.com> wrote:
> On Tue, 2012-07-17 at 23:54 -0700, Mike Belshe wrote:
>
>
>> Show me the user that will stand up and say, "Yes, I would like my
>> communications to be snoopable and changeable by 3rd parties without
>> my knowledge."

As has been mentioned before, embedded systems, real time control.

The operators of a nuclear power plant want to have strong
authentication on every connection but they do not want the
communications to be encrypted. That is a very common requirement in
that field.

They don't want any code that is not absolutely necessary.
Confidentiality is a low concern, integrity is a high concern.


I sell crypto for a living. I am also one of the developers of
HTTP/1.0. The people pushing this particular mandate do not understand
either in my view.

Crypto isn't a magic wand that you can wave and get 'security'.
Security is risk management and to do that you have to have an
understanding of the application area.

HTTP was always intended to be used in more than just browsers. It was
intended as a replacement for FTP as well. It was intended as a
transport layer for Web Services (the name is recent, the idea dates
back to my work in 1993, or earlier).


-- 
Website: http://hallambaker.com/
Received on Wednesday, 18 July 2012 13:42:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 13:42:43 GMT