W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Privacy and its costs (was: Re: Mandatory encryption)

From: Dereq Dereq <dereq@japan.com>
Date: Tue, 24 Jul 2012 07:10:41 -0400
Cc: "Tim Bray" <tbray@textuality.com>,ietf-http-wg@w3.org
Message-ID: <20120724111042.298410@gmx.com>
To: "Reto Bachmann-Gmür" <reto@gmuer.ch>,"Martin J. Dürst" <duerst@it.aoyama.ac.jp>
I have reservations about mandating TLS because security may already be provided at a lower protocol level and that may not even be evident to the client or to the server.

 This could arise from client device policy that causes IPSec to be used behind the scenes - assuming that the server supports that.

 Ditto tcpcrypt.

 So mandating TLS may result in double encryption. It also chooses a particular security protocol that may not be the choice of either the client or the server.

 What I _do_ want to see is more secure communications, perhaps going as far as that insecure communications are only used when that is the explicit (non-default) choice, agreed to by both parties. That probably takes it outside the scope of HTTP.
Received on Tuesday, 24 July 2012 11:15:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 24 July 2012 11:15:32 GMT