W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Tao Effect <contact@taoeffect.com>
Date: Wed, 13 Nov 2013 10:49:22 -0500
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <6C537D2B-4936-49EB-B534-FCF75255E3A4@taoeffect.com>
To: Julian Reschke <julian.reschke@gmx.de>
On note on this:

> Both 1.1 and 2.0 use the PKI/CA system only by indirection (through TLS).
> 
> I agree that there are problems with this system, but addressing those needs to happen in a different working group.


Be extremely alert and wary for the support that this is likely to receive from those selling SSL certificates.

Obviously they have a monetary incentive to keep that broken and insecure system running.

I can see it now: "Paying for HTTPS certs is just like requiring people to carry car insurance in real life."

And other, similar bullsh*t.

- Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Nov 13, 2013, at 9:26 AM, Julian Reschke <julian.reschke@gmx.de> wrote:

> On 2013-11-13 15:20, Tao Effect wrote:
>> Hi list!
>> 
>> I only just heard about this discussion now, and so I signed up on the list.
>> 
>> I strongly urge the HTTP working group and the IETF (if that's a different entity) to not rush this and allow more time for feedback from the internet community.
>> 
>> The IETF is not the internet, and I assure you that there are a lot of people out there working on various solutions independently. They have valuable ideas to share, and feedback to offer. I think it's worth giving them a chance to speak before declaring something "HTTP 2.0".
>> 
>> What I have read so far of the suggestions here leads me to think the ideas are still very immature.
>> 
>> Correct me if I'm wrong, but is "HTTP/2.0" still using today's PKI/CA system?
>> 
>> If so, it is not worthy of the "2.0" designation, as any system that preserves this broken system does not provide any meaningful security guarantees.
>> ...
> 
> Both 1.1 and 2.0 use the PKI/CA system only by indirection (through TLS).
> 
> I agree that there are problems with this system, but addressing those needs to happen in a different working group.
> 
> Best regards, Julian
> 
> 


Received on Wednesday, 13 November 2013 15:49:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC