W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 14 Nov 2013 13:27:12 -0800
Message-ID: <CAP+FsNf75rufzOH7gofUoutPmbRrB-hnwPZ-zHRrNerXrB1ckQ@mail.gmail.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
This is going sideways.

You cut out the suggestion about alternate input, e.g. barcode.

There are two nearly orthogonal issues here.
1) security/authentication
2) protocol

It has been said over and over that http2 is specced and will be specced to
allow plaintext on intranets.

Doing so is not a great idea for device configuration of devices where
security matters.

The security issue is separate.

You need a trust chain for authentication.
The best trust chain involves meat-space interaction with the device and
involves no third party and has nothing at all to do with the protocol that
otherwise would be spoken.

-=R
On Nov 14, 2013 11:14 AM, "Amos Jeffries" <squid3@treenet.co.nz> wrote:

> On 2013-11-15 09:41, Roberto Peon wrote:
>
>> Well, in such cases you may be screwed and should use a device that has
>> such, else you have an insurmountable trust root problem.
>>
>
>
> You do realise that a huge population in India and Africa are using
> networks that consist solely of wireless AP, cellphone or tablet, right?
> Electricity supply in many areas is not reliable enough to even run an old
> fashioned PC.
>
> You just cut off how many people? oh well,
>
>
> Looking forward, the high-tech countries are already rolling out similar
> sorts of networks. Japan for example is rolling out HTTP-over-LED_lightbulb
> and vehicle manufacturers are rolling out vehicle-vehicle wireless
> communication (via proxies!). Now try locating the TLS certificate of the
> lightbulb nearest you when you get of the train ... so that you can simply
> connect to it.
>
> Whats the population of east asia? oh well,
>
>
> Then there is that media whipping-post about trends in mobile devices
> replacing other technology.
>
> Cut off them and you have lost a majority of the entire population. Both
> Internet-of-Users and Internet-of-Things with no security.
>
>
> So, how fast were you going to replace/upgrade every single Internet
> connected device on the planet to support cabled connection with HTTP/2?
>
>
> non-TLS forms of PKI seem to be working far better in those above systems
> for simultaneous performance and security than HTTPS/TLS can offer at its
> best. The TLS system has edges. Long overdue time to admit they are there
> and work towards supporting the next best thing in HTTP/2 (or is it really
> going to be an old thing that got sidelined because TLS CA model was "easy"
> ?).
>
> Amos
>
>
>
Received on Thursday, 14 November 2013 21:27:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC