W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Sun, 25 Aug 2013 21:05:03 +0000
To: Roberto Peon <grmocg@gmail.com>
cc: Salvatore Loreto <salvatore.loreto@ericsson.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <2503.1377464703@critter.freebsd.dk>
In message <CAP+FsNekM95SuMvO1_hxeVf2hWb+rApzkD417n+1N5w_V2+VOA@mail.gmail.com>, Roberto Peon writes:

>Such entities would have motivation to circumvent security regardless of
>whether or not things are encrypted. That problem isn't technical-- it is
>political.

Correct, but if you make encrypt mandatory, they will have to break
_all_ encryption, that's what the law tells them to.

As long as encryption only affects a minority of traffic and they can
easier go around (ie: FaceBook, Google etc. delivering the goods)
they don't need to render _all_ encryption transparent.

>In any case, the intent here is to negotiate for encryption, not security.

As long as it's negotiation, and the server or client can decline that's
not a problem as such.

However, some people seem to want the server to not have a choice, that's
a no-go.

Poul-Henning

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Sunday, 25 August 2013 21:05:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:16 UTC