W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Discussion of Mandatory TLS in HTTP/2.0

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 19 Jul 2012 16:52:15 +0200
Cc: Phillip Hallam-Baker <hallam@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <E90879C2-9415-4547-8243-692E2FEEA656@bblfish.net>
To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>

On 19 Jul 2012, at 16:32, Poul-Henning Kamp wrote:

> In message <CAMm+LwjSOYkJQPayq1btXR5iXLNqBOdgQvsQMAAwhuZSNqQCXw@mail.gmail.com>
> , Phillip Hallam-Baker writes:
>> My biggest Web security concern is not the risk of passwords being
>> intercepted on the wire, its the fact that users have no practical
>> alternative to using the same password for the 100+ sites they use
>> that demand one.
> I have a hard time seeing how that can be solved at the HTTP protocol
> level ?

Though interestingly enough it can be solved at the TLS+HTTP level,
see the WebID protocol:


which is best read with the demonstration and the explanation shown in the screen cast



> -- 
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe    
> Never attribute to malice what can adequately be explained by incompetence.

Social Web Architect
Received on Thursday, 19 July 2012 14:52:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 14:53:01 GMT