W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Protocol Design 101 (Re: Mandatory encryption)

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Wed, 18 Jul 2012 12:15:23 -0400
Message-ID: <CAMm+LwiBi-+hwLY58=f2moGvrr3gQwy9acok8_r5R8eGFDL34Q@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@gmail.com>
Cc: Carsten Bormann <cabo@tzi.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org> 
Requiring TLS for server authentication would still be bad design
because the security requirement in most cases is mutual
authentication and TLS without encryption is not a good approach to
mutual auth.



On Wed, Jul 18, 2012 at 11:50 AM, Paul Hoffman <paul.hoffman@gmail.com> wrote:
> Given your views, would it be a good protocol design to require TLS
> for server authentication, and to allow but not require encryption?
> That is, do you think HTTP 2.0 with no mandatory server authentication
> is a good or bad protocol design?
>
> --Paul Hoffman
>



-- 
Website: http://hallambaker.com/
Received on Wednesday, 18 July 2012 16:15:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 16:16:00 GMT