- From: Peter Saint-Andre <stpeter@stpeter.im>
- Date: Tue, 19 Nov 2013 15:11:50 -0700
- To: Adrien de Croy <adrien@qbik.com>, Nicolas Mailhot <nicolas.mailhot@laposte.net>, Mike Belshe <mike@belshe.com>
- CC: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/13 3:04 PM, Adrien de Croy wrote: > I can't imagine a server author taking the step of requiring all > their customers to suddenly buy certs. Using TLS does not mean one needs to buy a PKIX certificate from a CA. Some CAs issue free certificates, one can use self-signed certificates, one can provision keys in DNS (DANE/TLSA), one can use PGP keys, one can use anonymous DH cipher suites, etc. You might think some of those options are non-starters, but it's incorrect to say that mandatory TLS means we're forcing people to buy certificates from CAs. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSi+ImAAoJEOoGpJErxa2pD2cQAIOOmeDRRbwi8I0Tf05FUmwi RE7Tl0w4L1NtOhU4xCbGkCkWcx6h/i/v2vxSzBo6DCloka4yrr2SC0cvJ7HHQoBK ikv8b8n4wHJbZFWS6pBda57kN8yHYpgnX3TKvTSrqU02UC6rFHJKKEmt2RJD6glW ijIBhyUt72aXLg9Ujog4+5dbLu/7FNx3CpyAUnNyzRNXVqV6hdekmdZgNU1RFWNc agZMDeDGud+9IdE4JKiocCtI85g3j/VMgJI2V6iUCfqMe3jf6IV/NGerKYl8qIG4 dC1EyOuPB3FPaaRMcK+dAFc/0urfUQ8rVIEQNCodZTLx1KDfyQVj2gL11Lr6lFdy XDuZBQr8V+BB2cQj3u5gjCT9qW0L9g4oJwbJWD+vvm4R3/jkCHFKf2wPwmQIJYdi 402S/X7xK0AjMs2/rI4P8oh2mhzEnx//LvwSb+dosrTi3i28WzHW2NN8NQ++vOxj PKjqN7d7eCl74dPL4g8Hfd/SI8XBs8ceoL8F/O6L6FEbtb4t9e4dUemm7/WDhmqe KxTORv9zgNS41xx9C7/bxowTJvH2qovvwpxpq967OAvL/jKO0CUlfzqZnOg4fc3N MaeyOn7M+cFHPJcakamssCwawIRdvzjIJoxDBl1FNcRmv0Nv2vaLYiuuh5/SheFI x6ZkFnhokPzHNSMCru1l =s1AS -----END PGP SIGNATURE-----
Received on Tuesday, 19 November 2013 22:12:16 UTC