W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Tao Effect <contact@taoeffect.com>
Date: Wed, 13 Nov 2013 14:32:00 -0500
Cc: Martin Thomson <martin.thomson@gmail.com>, Mike Belshe <mike@belshe.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <859F4247-3A54-4F65-A9EF-BC34F378DE07@taoeffect.com>
To: "William Chan (陈智昌)" <willchan@chromium.org>
On Nov 13, 2013, at 2:16 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
> Sorry, if we're spreading potentially dangerous misinformation, let's fix that. Can you identify which internet draft has said information so we can fix it?

Am I limited to internet drafts? I haven't been following the ones on HTTP/2.0. Like most people, I'm dazzled by catchy subject titles.

- Greg

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Nov 13, 2013, at 2:16 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:

> On Wed, Nov 13, 2013 at 11:12 AM, Tao Effect <contact@taoeffect.com> wrote:
> On Nov 13, 2013, at 2:06 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
> 
>> Would it be unreasonable to request that we also not debate PR here, unless it's directly pertinent to the internet drafts we are standardizing? I don't really want to change how we do things just because of news headlines on tech sites. 
> 
> You're not being asked to change "how you do things".
> 
> You're being asked to not spread potentially dangerous misinformation.
> 
> Sorry, if we're spreading potentially dangerous misinformation, let's fix that. Can you identify which internet draft has said information so we can fix it?
>  
> 
> - Greg
> 
> --
> Please do not email me anything that you are not comfortable also sharing with the NSA.
> 
> On Nov 13, 2013, at 2:06 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
> 
>> Would it be unreasonable to request that we also not debate PR here, unless it's directly pertinent to the internet drafts we are standardizing? I don't really want to change how we do things just because of news headlines on tech sites. I'd rather discuss the technical merits of encouraging further use of secure communication channels in the various situations described in Mark's original email.
>> 
>> 
>> On Wed, Nov 13, 2013 at 10:53 AM, Tao Effect <contact@taoeffect.com> wrote:
>> OK, I agree with this sentiment.
>> 
>> What worries me is the emphasis that I see being placed on HTTP 2.0 being "secure".
>> 
>> Perhaps it is somewhat of a marketing problem, but nevertheless, it's a marketing problem with potentially serious security consequences.
>> 
>> If HTTP/2.0 is flexible enough to allow for very different types of authentication practices than the ones currently done with the PKI/CA system, then I would support it.
>> 
>> Just make it _clear_ then that HTTP/2.0 is not about improving security.
>> 
>> If this is not made crystal clear, then people will continue to see news headlines on tech sites that give people the impression that something is actually being done to improve the internet's security with this "move to HTTP 2.0!", which is horse sh*t.
>> 
>> - Greg
>> 
>> --
>> Please do not email me anything that you are not comfortable also sharing with the NSA.
>> 
>> On Nov 13, 2013, at 1:47 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
>> 
>>> On 13 November 2013 10:42, William Chan (陈智昌) <willchan@chromium.org> wrote:
>>>> If there are issues with TLS or the PKI or whatever we're relying on for the
>>>> secure channel, let's fix it.
>>> 
>>> Yes.  We outsource the bulk of HTTP security work to the SEC area
>>> working groups, primarily TLS.  They are acutely aware of the issues
>>> and are working on improving the situation.  Let's concentrate on what
>>> we can do.
>> 
>> 
> 
> 



Received on Wednesday, 13 November 2013 19:32:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC