Re: Mandatory encryption *is* theater from 陈智昌 on 2013-08-26 (ietf-http-wg@w3.org from July to September 2013)

From: 陈智昌 <willchan@google.com>
Date: Mon, 26 Aug 2013 22:33:24 +0800
To: Eliot Lear <lear@cisco.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CAA4WUYgZG3kUb++xBGoaCpFmF4QnHGA41ZrqDAbd=hwAfB_vEw@mail.gmail.com>

On Mon, Aug 26, 2013 at 2:46 AM, Eliot Lear <lear@cisco.com> wrote:

>  Will,
>
>
> On 8/25/13 5:29 PM, William Chan (陈智昌) wrote:
>
>
> Another key distinction is encryption does not require authentication, so
> a proper cert is not mandatory. I'm surprised you mention requiring a
> proper cert given that you clearly understand a proper cert isn't
> necessary, given your reply to Yoav below. I think it's worthwhile to
> discuss the asserted benefit, but any statement about the current proposal
> requiring proper certificates sounds factually incorrect as far as I can
> tell. Did I miss something here?
>
>
> Possibly you did or possibly I did.  I have two specific issues with
> anonymous encryption:
>
> 1.  The threat it is addressing may be better dealt with at other layers;
> and
> 2.  It is often sold as more than it is.
>

Great, I think we've made progress here on narrowing in on the meat of the
discussion. I've got nothing new here other than what others have already
said, but I'll re-emphasize a particularly point. We're primarily talking
about http:// URIs here. Given that constraint, it's unclear if we want to
require server authentication. I think most people are starting with just
encryption. So while the authentication discussion is interesting, I'd
ignore authentication for now.

I think it's definitely debatable how much benefit anonymous encryption
provides. I'm interested in having that debate. I just want to make sure
we're clear on what we're discussing (encryption, not authentication) for
http:// URIs.

>
> As I wrote, I do like the idea of DANE + DNSSEC and then expanding on
> that.  Got code for that?  If it's real privacy (not just encryption) then
> I'd probably be convinced (there is a matter of responsibility, but I
> think  DANE + DNSSEC could get us there, as can certs from credible CAs).
>
> And just for the record:
>
>
> Yes, the proposal is that it is mandatory for the server to implement and
> offer encryption.
>
>
> That is in fact my objection, particularly the "offer" part.  You seem to
> be assuming (forgive me if you are not) that many implementations small and
> large AND many deployments small and large will do a whole lot of work for
> that offer where past experience shows that they won't, but rather that it
> will in fact hinder implementation and deployment of the rest of HTTP2.
> There is an obvious question about the goals for HTTP2...
>

Just to be clear, I've actually not said much if anything yet on this
thread in support of mandatory to offer encryption. I've mostly tried to
clarify the discussion, since I felt that there were inaccurate/confusing
statements made earlier in the thread.

>
>
> Eliot
>

Received on Monday, 26 August 2013 14:33:52 UTC