W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Thu, 13 Sep 2012 15:30:37 +0000
To: Phillip Hallam-Baker <hallam@gmail.com>
cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <1869.1347550237@critter.freebsd.dk>
In message <CAMm+Lwi-CYPbEXDucjSVM273LKkprBMY=1hUA5dRwEnGxLBLaQ@mail.gmail.com>
, Phillip Hallam-Baker writes:

>> There is a 4th option: leave the e2e semantics as-is and write an
>> RFC called "HTTPS MITM considered harmful" that explains the
>> issues and trade-offs and says why we don't want to standardise
>> that (mis)behaviour.

Is it "misbehaviour" when mandated by law in supposedly civilized societies ?

Is it "misbehaviour" when security concious organizations or organizations
under legal mandate to record all communications want to do it ?

Better to standardize, and let the user know they have limited privacy,
than the current "we're to holy for this" attitude that forces people to
fudge certificates and leave the users with no clue to the privacy
invasion.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 13 September 2012 15:31:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 15:31:12 GMT