W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Mandatory encryption

From: Eliot Lear <lear@cisco.com>
Date: Wed, 18 Jul 2012 17:57:46 +0200
Message-ID: <5006DCFA.3060305@cisco.com>
To: Patrick McManus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Hi Patrick,

> Your point is incredibly important, is absolutely intertwined, and
> deserves lots of attention. I feel like focus in that area is building
> but there is nothing to show for it yet.

Thanks.  I agree.

> However, its not an inherently
> unsolvable problem and thus I really disagree with the "red herring"
> claim.
What I meant by red herring is that I haven't heard anyone object to the
assertion that privacy is good.  I'm just concerned that mandating
crypto without thinking about the UI implications could make things
worse.  I do not know how hard the problem is.  It's not like we haven't
been looking at reputation/certification elsewhere, but more work is
required, as you mention above.

Mozilla and other browser developers are in a very good position to
discuss what user indications might work versus what might not, and what
the protocol implications are.  Also, I'm reminded that because HTTP is
used for everything in the world, the applicability of this work could
be circumscribed to try to make some of these issues more tractable
(like whether a user is present).

>  Transport security needs to be used more widely and we also need
> to make the transport security work better.

Sure.
>
> I don't think that means throwing away TLS (or even the way PKI is
> managed) in favor of something else, but I'm open to a different
> strategy that achieves the same goals. I think everyone is.

Sure.
Warmest regards,

Eliot
Received on Wednesday, 18 July 2012 15:58:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 15:58:24 GMT