W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Rough minutes

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Mon, 11 Nov 2013 02:54:02 +0200
To: Christian Huitema <huitema@huitema.net>
Cc: 'Yoav Nir' <ynir@checkpoint.com>, 'Julian Reschke' <julian.reschke@gmx.de>, 'HTTP Working Group' <ietf-http-wg@w3.org>, 'Peter Lepeska' <bizzbyster@gmail.com>, 'Tim Bray' <tbray@textuality.com>, 'Mark Nottingham' <mnot@mnot.net>
Message-ID: <20131111005401.GB5425@LK-Perkele-VII>
On Sun, Nov 10, 2013 at 04:10:34PM -0800, Christian Huitema wrote:
> 
> That's certainly an argument. But then, there are design implications.
> Consider the sites that do not have a valid certificate today. Is it because
> they don't want to pay the CA, or is it because they don't want to bother
> with certificate maintenance? If the argument is really about cost of
> managing the certificate, expiry date, etc., then the opportunistic mode
> should be truly "zero administration." Can we achieve that with short-lived
> self-signed certificates?

The reasons I have heard are:
1) Price

- Basic Certificates are pretty cheap nowadays.
- EV certs are expensive, but who need those surely can afford it.

=> Minor issue.

2) Maintenance

- Generating CSRs
- Installing certifificates.
- Renewing before expiry.
- Significant potential for software improvments.

=> Significant issue.

3) Performance

- The startup overhead is significant.
- But modern hardware is pretty much powerful enough.
- HTTP/2 helps here (due to long-lived connections).

=> Minor issue in HTTP/2, might be issue in HTTP/1.

4) Mixed content

- Not all external services are available over TLS.
- Big issue for some sites (even quoted as THE showstopper).
- Of course, some view those services as security problems in
themselves (unwanted surveilance and possiblity of injecting
hostile scripts).

=> Major issue.

5) URL schemes

- Site might have http:// links to itself in the database
(major issue for some types of sites).
- Main blocker on at least one site I know.

=> Might be significant issue, depending on type of site.


-Ilari
Received on Monday, 11 November 2013 00:54:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC