- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 19 Nov 2013 21:52:08 +0000
- To: Nicolas Mailhot <nicolas.mailhot@laposte.net>, Mike Belshe <mike@belshe.com>
- CC: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hiya, On 11/19/2013 07:07 PM, Nicolas Mailhot wrote: > > Le Mar 19 novembre 2013 10:45, Mike Belshe a écrit : > >> Alright, well thats all fine, but I really don't know why you're going off >> on this rant. Can you cite for me the specific quote from anyone on >> this >> list who declared or implied that TLS was a comprehensive solution for >> 'security' or 'privacy'? I don't think anyone did, so this rant is really >> unnecessary. > > That's playing with words, Chrome and Mozilla representatives have been > quite clear they wanted to force a TLS-only web for 'security' and > 'privacy'. To be fair, I don't think its only them. > Even though there is a ton of things those browsers could do > *now* to improve privacy without fostering pki on everyone else. And in fact progress on the TLS front can be made without needing to hook every site into the WebPKI, but that depends on the approach that the WG take. So "fostering PKI" isn't right (and maybe you meant foisting PKI), but as has been said before there is clear value in doing more HTTP over TLS even if the wg choose to take the route where the WebPKI is needed for more TLS. > Really, it's getting quite annoying to see all this forceful selling of > TLS in the name of privacy and security while systematically stonewalling > any attempt to consider the parts of the protocol that are used to data > mine users now (let's use the business term not emotional appeals). On that last - I've not seen any drafts or worked out suggestions for such. I can see that it might be de-motivating to do that work if you don't think browsers would adopt it, and it might not be within this wg's current charter, but discussion of such *is* in scope for the perpass list and, possibly, the websec wg, depending on where it went. I'd encourage you to write a draft on that topic, and post there, keeping it separate from TLS related issues, since it is and should be separate. While data minimisation stuff is hard, its also something that we need to look at, perhaps longer term, but we shouldn't forget it. Cheers, S. >
Received on Tuesday, 19 November 2013 21:52:31 UTC