Re: Some reasons why mandating use ofSSL for HTTP is a really bad idea from Zhong Yu on 2012-07-18 (ietf-http-wg@w3.org from July to September 2012)

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Wed, 18 Jul 2012 13:37:12 -0500
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Henry Story <henry.story@bblfish.net>, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CACuKZqGBk4vGrTvJYAV5sAtkOWWVsoYrOGDCKGCOiePzuZJr5A@mail.gmail.com>

A short term solution is that browsers stop acting so hostile against
self signed certs. Can't there be some other ways for a browser to
establish  cert-domain trust?

On Wed, Jul 18, 2012 at 12:45 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> On Wed, Jul 18, 2012 at 1:12 PM, Henry Story <henry.story@bblfish.net> wrote:
>>
>> On 18 Jul 2012, at 19:01, Zhong Yu wrote:
>>
>>> On Tue, Jul 17, 2012 at 10:25 PM, Adrien W. de Croy <adrien@qbik.com> wrote:
>>>> What about the other hundreds of millions of us running web servers.  You
>>>> gonna buy us our certs?
>>>
>>> Agreed. It's absolutely impractical to mandate officially signed certs
>>> on every website. That's a huge hurdle for small sites; and all big
>>> sites started from small sites.
>>
>> Unless of course you start Deploying IETF DANE, which could make the procurement of
>> such certs a lot easier, since it just requires placing a public key in DNSsec.
>>
>>    http://tools.ietf.org/wg/dane/
>>
>> making it easy to install such certs could be the task of a WG. Then one could add
>> other services to verify that these certificate are not tampered with.
>
> But now you have stepped away from mandating support for the TLS in
> use today and instead mandating support for a new design based on a
> science project.
>
> To implement HTTP/1.1, all I need is a TCP stack and a HTTP stack.
> Plenty of people have done both in a week.
>
> To implement HTTP/2.0 with your proposed mandate would require
>
> * TCP
> * HTTP 1.1
> * HTTP 2.0
> * TLS
> * PKIX
> * DNS
> * DNSSEC
> * DANE
>
>
> Oh and by the way:
>
> * PKIX is layered on HTTP creating a potential infinite regression.
> How does an OCSP server work over HTTP/2.0? Does the OCSP server cert
> need to be validated via OCSP as well? Are CRLs going to be supported?
>
> * Practical deployment of TLS REQUIRES an IPv4 address per connection
> since there is a large population of browsers that do not support SNI.
> If you mandate support for TLS in HTTP you will find everyone wants
> their server to have legacy support as well.
>
> If this is really an attempt to mandate DANE then people should say so.
>
>
> --
> Website: http://hallambaker.com/

Received on Wednesday, 18 July 2012 18:37:41 UTC