W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Michael Sweet <msweet@apple.com>
Date: Thu, 14 Nov 2013 14:13:58 -0500
Cc: "William Chan (ι™ˆζ™Ίζ˜Œ)" <willchan@chromium.org>, James M Snell <jasnell@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Nicolas Mailhot <nicolas.mailhot@laposte.net>, Willy Tarreau <w@1wt.eu>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-id: <493868FF-6A2D-4841-B7AB-0A9E5661CB03@apple.com>
To: Mike Belshe <mike@belshe.com>
Mike,

On Nov 14, 2013, at 1:22 PM, Mike Belshe <mike@belshe.com> wrote:
> Printers can just use HTTP/1.1 if they don't want to use TLS, just like they can use HTTP/1.0 if they don't support HTTP/1.1

No, actually, they can't use HTTP/1.0 if they do IPP.  IPP mandates a minimum of HTTP/1.1 (for chunking, among other reasons).

Aside from some of the cloud/infrastructure extensions we (the Printer Working Group) are working on now, we are also dealing with deployment issues for IPP over USB.  The current mapping over USB uses HTTP/1.1 over bulk in/out endpoints, which means 1 interface for each "connection".  Since most of the SoCs used by printer vendors support 3 or 4 interfaces maximum for every protocol/function a device supports, this can be a major constraint.

Both of these IPP extensions will benefit from HTTP/2.0.  The cloud/infrastructure extensions obviously will make use of TLS and authentication, but doing TLS over USB is both unnecessary and a complete non-starter.

> But plenty of printers today already support https.  Enterprises already have needs for encrypted data to the printer.  The fact that TLS is hard to deploy there is not a new problem nor relevant to HTTP2 - its not like we should reduce security to printers because TLS was hard.  The owners of those printers still have legal needs for TLS :-)

Of course, and I am not suggesting that we don't want TLS.  But I *am* suggesting that TLS is not the answer to every possible security problem.

> Using TLS everywhere will make it easier for these folks because the tooling will get better.

Strictly speaking, the issue is not with TLS but with how certificates are managed, verified, etc.  TLS, done wrong, is just as insecure and out in the open as clear text.  And based on the comments on this list, TLS is being done wrong today, deliberately.

Let's be honest about what TLS offers HTTP, and come up with solutions that apply equally to HTTP/1.x and HTTP/2.0.  And let's retain http:// support in HTTP/2.0 to keep our security and deployment options open.

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Thursday, 14 November 2013 19:14:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC