- From: Salvatore Loreto <salvatore.loreto@ericsson.com>
- Date: Sun, 25 Aug 2013 22:07:57 +0200
- To: <ietf-http-wg@w3.org>
- Message-ID: <521A641D.1010304@ericsson.com>
so now I have a question if one of the reasons to use encryption is to let the bytestreams traverse the networks without modifications why don't just sign them instead that encrypt them? /Sal On 8/25/13 9:09 PM, Roberto Peon wrote: > Remember that encryption != security. > Part of the reasons to use encryption have nothing to do with > security, but rather reliability-- encrypted bytestreams traverse the > network without modification far more successfully. > > There should be no reason that the client shouldn't be able to request > this more reliable channel when the URL is HTTP. > > As far as I understand, this is what we're talking about-- the > client's ability to request an encrypted channel for HTTP urls. > > -=R > > > > On Sun, Aug 25, 2013 at 11:46 AM, Eliot Lear <lear@cisco.com > <mailto:lear@cisco.com>> wrote: > > Will, > > > On 8/25/13 5:29 PM, William Chan (ιζΊζ) wrote: >> >> Another key distinction is encryption does not require >> authentication, so a proper cert is not mandatory. I'm surprised >> you mention requiring a proper cert given that you clearly >> understand a proper cert isn't necessary, given your reply to >> Yoav below. I think it's worthwhile to discuss the asserted >> benefit, but any statement about the current proposal requiring >> proper certificates sounds factually incorrect as far as I can >> tell. Did I miss something here? >> > > Possibly you did or possibly I did. I have two specific issues > with anonymous encryption: > > 1. The threat it is addressing may be better dealt with at other > layers; and > 2. It is often sold as more than it is. > > As I wrote, I do like the idea of DANE + DNSSEC and then expanding > on that. Got code for that? If it's real privacy (not just > encryption) then I'd probably be convinced (there is a matter of > responsibility, but I think DANE + DNSSEC could get us there, as > can certs from credible CAs). > > And just for the record: > > >> Yes, the proposal is that it is mandatory for the server to >> implement and offer encryption. > > That is in fact my objection, particularly the "offer" part. You > seem to be assuming (forgive me if you are not) that many > implementations small and large AND many deployments small and > large will do a whole lot of work for that offer where past > experience shows that they won't, but rather that it will in fact > hinder implementation and deployment of the rest of HTTP2. There > is an obvious question about the goals for HTTP2... > > Eliot > > -- Salvatore Loreto, PhD www.sloreto.com
Received on Sunday, 25 August 2013 20:08:23 UTC