W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

RE: Rough minutes

From: Christian Huitema <huitema@huitema.net>
Date: Sun, 10 Nov 2013 16:10:34 -0800
To: "'Yoav Nir'" <ynir@checkpoint.com>, "'Julian Reschke'" <julian.reschke@gmx.de>
Cc: "'HTTP Working Group'" <ietf-http-wg@w3.org>, "'Peter Lepeska'" <bizzbyster@gmail.com>, "'Tim Bray'" <tbray@textuality.com>, "'Mark Nottingham'" <mnot@mnot.net>
Message-ID: <12f401cede72$722f17d0$568d4770$@huitema.net>
> I just don't see why opportunistic encryption is useful for sites with a
valid certificate. I think OE is needed for the 70% of websites ([1]) that
don't 
> have a valid certificate.

That's certainly an argument. But then, there are design implications.
Consider the sites that do not have a valid certificate today. Is it because
they don't want to pay the CA, or is it because they don't want to bother
with certificate maintenance? If the argument is really about cost of
managing the certificate, expiry date, etc., then the opportunistic mode
should be truly "zero administration." Can we achieve that with short-lived
self-signed certificates?

-- Christian Huitema
Received on Monday, 11 November 2013 00:11:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC