W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 15 Nov 2013 15:03:47 +0800
Cc: Roberto Peon <grmocg@gmail.com>, Will Chan <willchan@chromium.org>, "Julian F. Reschke" <julian.reschke@gmx.de>, Tao Effect <contact@taoeffect.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Zhong Yu <zhong.j.yu@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, James M Snell <jasnell@gmail.com>, Michael Sweet <msweet@apple.com>, Nicholas Hurley <hurley@todesschaf.org>, Tim Bray <tbray@textuality.com>, Mike Belshe <mike@belshe.com>, Willy Tarreau <w@1wt.eu>
Message-Id: <2196ACEB-A8E3-44C8-837C-F46797E734EC@mnot.net>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
This is getting really off-topic for the list; see previous e-mail.

It’s fine to bring new information to the list, and with discussing the issues. It’s even OK to use this list as a way to try to change the minds of the browser vendors about what their products will support, as long as it is brief and not repetitive. 

We need to focus discussion on what words, if any, will appear in the HTTP spec regarding this issue. 

Regards,


On 15 Nov 2013, at 2:57 pm, Nicolas Mailhot <nicolas.mailhot@laposte.net> wrote:

> 
> Le Ven 15 novembre 2013 07:01, Nicolas Mailhot a écrit :
>> 
>> Le Jeu 14 novembre 2013 21:57, Roberto Peon a écrit :
>>> .. And?
>> 
>> And egg meet chicken you need the protocol to make the connexion work, but
>> you're building a protocol that requires this connexion before working
> 
> (unless of course I misunderstood and instead of using the physical link
> to import a trusted cert in the device you want to use it to import
> whatever's in the device in your browser cert store. Making any connected
> device factory in China a giant CA able to inject any cert it wants in
> millions of browsers. And I thought existing CA security was bad, do you
> think the Chinese factory will even bother with a physical lock on its
> mastering robots?)
> 
> -- 
> Nicolas Mailhot
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Friday, 15 November 2013 07:04:30 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC