W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: 陈智昌 <willchan@chromium.org>
Date: Wed, 13 Nov 2013 11:16:52 -0800
Message-ID: <CAA4WUYjea3r4ng9uxxNLY1b=XBJ9efAVsn7uUBDwu++FZxTgUA@mail.gmail.com>
To: Tao Effect <contact@taoeffect.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike Belshe <mike@belshe.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Nov 13, 2013 at 11:12 AM, Tao Effect <contact@taoeffect.com> wrote:

> On Nov 13, 2013, at 2:06 PM, William Chan (陈智昌) <willchan@chromium.org>
> wrote:
>
> Would it be unreasonable to request that we also not debate PR here,
> unless it's directly pertinent to the internet drafts we are standardizing?
> I don't really want to change how we do things just because of news
> headlines on tech sites.
>
>
> You're not being asked to change "how you do things".
>
> You're being asked to not spread potentially dangerous misinformation.
>

Sorry, if we're spreading potentially dangerous misinformation, let's fix
that. Can you identify which internet draft has said information so we can
fix it?


>
> - Greg
>
> --
> Please do not email me anything that you are not comfortable also sharing
> with the NSA.
>
> On Nov 13, 2013, at 2:06 PM, William Chan (陈智昌) <willchan@chromium.org>
> wrote:
>
> Would it be unreasonable to request that we also not debate PR here,
> unless it's directly pertinent to the internet drafts we are standardizing?
> I don't really want to change how we do things just because of news
> headlines on tech sites. I'd rather discuss the technical merits of
> encouraging further use of secure communication channels in the various
> situations described in Mark's original email.
>
>
> On Wed, Nov 13, 2013 at 10:53 AM, Tao Effect <contact@taoeffect.com>wrote:
>
>> OK, I agree with this sentiment.
>>
>> What worries me is the emphasis that I see being placed on HTTP 2.0 being
>> "secure".
>>
>> Perhaps it is somewhat of a marketing problem, but nevertheless, it's a
>> marketing problem with potentially serious security consequences.
>>
>> If HTTP/2.0 is flexible enough to allow for very different types of
>> authentication practices than the ones currently done with the PKI/CA
>> system, then I would support it.
>>
>> Just make it *_clear_* then that HTTP/2.0 *is not about improving
>> security.*
>>
>> If this is not made crystal clear, then people will continue to see news
>> headlines on tech sites that give people the impression that something is
>> actually being done to improve the internet's security with this "move to
>> HTTP 2.0!", which is horse sh*t.
>>
>> - Greg
>>
>> --
>> Please do not email me anything that you are not comfortable also sharing
>> with the NSA.
>>
>> On Nov 13, 2013, at 1:47 PM, Martin Thomson <martin.thomson@gmail.com>
>> wrote:
>>
>> On 13 November 2013 10:42, William Chan (陈智昌) <willchan@chromium.org>
>> wrote:
>>
>> If there are issues with TLS or the PKI or whatever we're relying on for
>> the
>> secure channel, let's fix it.
>>
>>
>> Yes.  We outsource the bulk of HTTP security work to the SEC area
>> working groups, primarily TLS.  They are acutely aware of the issues
>> and are working on improving the situation.  Let's concentrate on what
>> we can do.
>>
>>
>>
>
>
Received on Wednesday, 13 November 2013 19:17:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC