W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Peter Lepeska <bizzbyster@gmail.com>
Date: Wed, 13 Nov 2013 11:45:25 -0500
Message-ID: <CANmPAYGnoPZM5rRjzKE+fMMVn0x9L0d-_GxDWifL2gUnSxfgqA@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Seems like this decision (requiring TLS for HTTP2) is dependent on the
details of the proxy inter-operability issue. And so it should wait until
that gets ironed out.

Also I want to go on record agreeing with Julian that the hums were
inconclusive. And this was partially b/c the options were not well defined
and the "I can't live with" approach was confusing and also I think b/c
there was no "rough consensus".

Thanks,

Peter


On Wed, Nov 13, 2013 at 11:27 AM, Peter Lepeska <bizzbyster@gmail.com>wrote:

> That's great. Let me know if I can help.
>
> Peter
>
>
> On Wed, Nov 13, 2013 at 11:27 AM, Mark Nottingham <mnot@mnot.net> wrote:
>
>> Hi Peter,
>>
>> We have a group of people working on use cases and proposals for that
>> very topic now.
>>
>> Regards,
>>
>>
>> On 14 Nov 2013, at 12:25 am, Peter Lepeska <bizzbyster@gmail.com> wrote:
>>
>> > I'd like to see the group hold off on making this decision until we've
>> also come up with an agreed upon way for proxies to function in an HTTP2,
>> all TLS Internet. Without it we're essentially requiring proxies to do MITM
>> to function. Is this increasing security?
>> >
>> > Peter
>> >
>> >
>> > On Wed, Nov 13, 2013 at 10:59 AM, Mark Nottingham <mnot@mnot.net>
>> wrote:
>> > Hi Julian,
>> >
>> > On 13 Nov 2013, at 9:33 pm, Julian Reschke <julian.reschke@gmx.de>
>> wrote:
>> >
>> > >> As a result, Iím making an informed judgement call, based upon
>> discussions so far and the options available to us. I do not do so lightly,
>> and have been in active consultation with many of those it will affect, as
>> well as IETF leadership. If that call is wrong, Iím confident that the WG
>> will correct it, but again, that is *not* voting.
>> > >
>> > > Well, your mail makes it sound as if a decision already has been
>> made, and that you're willing to revisit it if the WG pushes back. That's
>> different from making a *proposal*, discuss it over here (and maybe *then*
>> make a decision).
>> >
>> > I would put it differently. I see only one viable path forward at this
>> point in time, based upon the myriad constraints we face. If another
>> becomes available, of course we will consider it.
>> >
>> > >> Of course. Iíve announced what I believe our current state is; if
>> there is serious pushback that has technical merit, weíll have to revisit
>> it. And as Iíve said many times, Iím open to proposals ó especially those
>> that can a) gain consensus b) actually get implemented and c) get approved
>> by the whole IETF community. Havenít seen any others yet.
>> > >
>> > > How do you judge the technical merit exactly?
>> >
>> > On a case by case basis. How do you expect me to answer that question?
>> >
>> > > Do you believe it's acceptable that the default naming scheme for the
>> web ("http") is affected (in that either users keep getting redirected, or
>> bookmarks/links will have to change)?
>> >
>> > ...*if* they want to use the latest version of HTTP, and provided that
>> another mechanism isnít added later.
>> >
>> > I do want to explore this issue; we might need to either layer on
>> opportunistic encryption (which is NOT yet firmly ruled out; weíll evaluate
>> whether itís still needed as we progress), modify our charter, or address
>> it in some other way.
>> >
>> > Regards,
>> >
>> > --
>> > Mark Nottingham   http://www.mnot.net/
>> >
>> >
>> >
>> >
>> >
>>
>> --
>> Mark Nottingham   http://www.mnot.net/
>>
>>
>>
>>
>
Received on Wednesday, 13 November 2013 16:45:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC