W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: A proposal

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 19 Nov 2013 21:52:08 +0000
Message-ID: <528BDD88.5000500@cs.tcd.ie>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>, Mike Belshe <mike@belshe.com>
CC: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>

Hiya,

On 11/19/2013 07:07 PM, Nicolas Mailhot wrote:
> 
> Le Mar 19 novembre 2013 10:45, Mike Belshe a écrit :
> 
>> Alright, well thats all fine, but I really don't know why you're going off
>> on this rant.    Can you cite for me the specific quote from anyone on
>> this
>> list who declared or implied that TLS was a comprehensive solution for
>> 'security' or 'privacy'?  I don't think anyone did, so this rant is really
>> unnecessary.
> 
> That's playing with words, Chrome and Mozilla representatives have been
> quite clear they wanted to force a TLS-only web for 'security' and
> 'privacy'. 

To be fair, I don't think its only them.

> Even though there is a ton of things those browsers could do
> *now* to improve privacy without fostering pki on everyone else.

And in fact progress on the TLS front can be made without needing
to hook every site into the WebPKI, but that depends on the
approach that the WG take.

So "fostering PKI" isn't right (and maybe you meant foisting
PKI), but as has been said before there is clear value in doing
more HTTP over TLS even if the wg choose to take the route
where the WebPKI is needed for more TLS.

> Really, it's getting quite annoying to see all this forceful selling of
> TLS in the name of privacy and security while systematically stonewalling
> any attempt to consider the parts of the protocol that are used to data
> mine users now (let's use the business term not emotional appeals).

On that last - I've not seen any drafts or worked out suggestions
for such. I can see that it might be de-motivating to do that
work if you don't think browsers would adopt it, and it might not
be within this wg's current charter, but discussion of such *is* in
scope for the perpass list and, possibly, the websec wg, depending
on where it went. I'd encourage you to write a draft on that topic,
and post there, keeping it separate from TLS related issues, since
it is and should be separate. While data minimisation stuff is
hard, its also something that we need to look at, perhaps longer
term, but we shouldn't forget it.

Cheers,
S.


> 
Received on Tuesday, 19 November 2013 21:52:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC