W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Mandatory encryption *is* theater

From: Eliot Lear <lear@cisco.com>
Date: Sun, 25 Aug 2013 08:16:30 +0200
Message-ID: <5219A13E.5030003@cisco.com>
To: Mark Nottingham <mnot@mnot.net>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Mark,

Regarding the minutes of the group, the working group declined to
mandate encryption for a number of reasons, not just back end services. 
What I said the last time, was that we can damage overall Internet
security by inuring people to certificate warnings – or we will inhibit
adoption of HTTP2 – unless the mechanisms to manage certificates
improve.  In addition many thousands of small devices exist without a
simple means to enroll – and pay.  Even if they do enroll – and pay, the
current certificate mechanisms require that they re-enroll - and pay. 
And so they don't.  There simply is no magic bullet.  The economics are
clear.  The means to encrypt has existed nearly two decades.   Mandating
encryption from the IETF has been tried before – specifically with IPv6
and IPsec.  If anything, that mandate may have acted as an inhibitor to
IPv6 implementations and deployment and served as a point of ridicule.

And so, I do not agree with those who hummed in favor of mandatory
encryption.  HTTP2 is already very complex and is biting off enough. 
The more it bites off the less likelihood of broad adoption.  We've seen
this movie before.  What we will have instead of HTTP/2 will be an
optional alternative to HTTP/1.1 that is deployed by large scale high
performance services.  Maybe that was always the goal, but if so, let's
recognize that and relabel.  I was under a different impression.

If we wish to explore new means to authenticate endpoints, that would be
a better starting point.

Eliot
Received on Sunday, 25 August 2013 06:17:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:15 UTC