W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: A proposal

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 19 Nov 2013 23:33:17 +0100
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <o1pn891887gs8jm0dtkf7stqu0dplun3lv@hive.bjoern.hoehrmann.de>
* Peter Saint-Andre wrote:
>Using TLS does not mean one needs to buy a PKIX certificate from a CA.
>Some CAs issue free certificates, one can use self-signed
>certificates, one can provision keys in DNS (DANE/TLSA), one can use
>PGP keys, one can use anonymous DH cipher suites, etc. You might think
>some of those options are non-starters, but it's incorrect to say that
>mandatory TLS means we're forcing people to buy certificates from CAs.

We should assume that none of the options you list are available unless
mandatory TLS means that we're forcing people to implement them. I have
no difficulty imaging a major browser vendor announcing they will, say,
no longer connect to sites with free or self-signed certificates, with
no option for the user to override.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 19 November 2013 22:33:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC