W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Peter Lepeska <bizzbyster@gmail.com>
Date: Wed, 13 Nov 2013 11:25:46 -0500
Message-ID: <CANmPAYHQSdo19U+-VeywkhA3L-GuE4e6Shhi8ouAY_am5JWyGQ@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
I'd like to see the group hold off on making this decision until we've also
come up with an agreed upon way for proxies to function in an HTTP2, all
TLS Internet. Without it we're essentially requiring proxies to do MITM to
function. Is this increasing security?

Peter


On Wed, Nov 13, 2013 at 10:59 AM, Mark Nottingham <mnot@mnot.net> wrote:

> Hi Julian,
>
> On 13 Nov 2013, at 9:33 pm, Julian Reschke <julian.reschke@gmx.de> wrote:
>
> >> As a result, Iím making an informed judgement call, based upon
> discussions so far and the options available to us. I do not do so lightly,
> and have been in active consultation with many of those it will affect, as
> well as IETF leadership. If that call is wrong, Iím confident that the WG
> will correct it, but again, that is *not* voting.
> >
> > Well, your mail makes it sound as if a decision already has been made,
> and that you're willing to revisit it if the WG pushes back. That's
> different from making a *proposal*, discuss it over here (and maybe *then*
> make a decision).
>
> I would put it differently. I see only one viable path forward at this
> point in time, based upon the myriad constraints we face. If another
> becomes available, of course we will consider it.
>
> >> Of course. Iíve announced what I believe our current state is; if there
> is serious pushback that has technical merit, weíll have to revisit it. And
> as Iíve said many times, Iím open to proposals ó especially those that can
> a) gain consensus b) actually get implemented and c) get approved by the
> whole IETF community. Havenít seen any others yet.
> >
> > How do you judge the technical merit exactly?
>
> On a case by case basis. How do you expect me to answer that question?
>
> > Do you believe it's acceptable that the default naming scheme for the
> web ("http") is affected (in that either users keep getting redirected, or
> bookmarks/links will have to change)?
>
> ...*if* they want to use the latest version of HTTP, and provided that
> another mechanism isnít added later.
>
> I do want to explore this issue; we might need to either layer on
> opportunistic encryption (which is NOT yet firmly ruled out; weíll evaluate
> whether itís still needed as we progress), modify our charter, or address
> it in some other way.
>
> Regards,
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>
Received on Wednesday, 13 November 2013 16:26:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC