W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Mandatory encryption

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 18 Jul 2012 11:15:13 -0400
Message-ID: <1342624513.30417.53.camel@ds9>
To: Eliot Lear <lear@cisco.com>
Cc: Mike Belshe <mike@belshe.com>, Willy Tarreau <w@1wt.eu>, Phillip Hallam-Baker <hallam@gmail.com>, Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, 2012-07-18 at 15:56 +0200, Eliot Lear wrote:
> Mike,
> 
> On 7/18/12 8:54 AM, Mike Belshe wrote:
> 
> > Show me the user that will stand up and say, "Yes, I would like my
> > communications to be snoopable and changeable by 3rd parties without
> > my knowledge."
> > 
> 
> This is a red herring.  The real argument is around the ability of all
> web servers to get certificates that the browser will  / should trust,
> or using a means of trust that doesn't require certificate chains.
> [..]

Your point is incredibly important, is absolutely intertwined, and
deserves lots of attention. I feel like focus in that area is building
but there is nothing to show for it yet. However, its not an inherently
unsolvable problem and thus I really disagree with the "red herring"
claim. Transport security needs to be used more widely and we also need
to make the transport security work better.

I don't think that means throwing away TLS (or even the way PKI is
managed) in favor of something else, but I'm open to a different
strategy that achieves the same goals. I think everyone is.
Received on Wednesday, 18 July 2012 15:15:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 15:15:55 GMT