Re: Getting our definitions of encryption straight for the HTTP/2 security discussion from Adrien de Croy on 2013-11-21 (ietf-http-wg@w3.org from October to December 2013)

From: Adrien de Croy <adrien@qbik.com>
Date: Thu, 21 Nov 2013 00:40:36 +0000
To: "Paul Hoffman" <paul.hoffman@gmail.com>, "Manger, James H" <James.H.Manger@team.telstra.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <em25037bb8-5bc1-4f93-ae29-9875b1ec813e@bodybag>

Hi Paul

not sure I like much the text for the opportunistic.

STARTTLS in SMTP/IMAP works by the server firstly advertising 
availability of encryption.  This would only trigger a client to 
actually ask for it only if the client were so configured.  In many mail 
clients for instance, this won't actually cause any encryption to happen 
at all with default config.  So there's no contract about making any 
best effort to achieve crypto.  It can be no effort and no crypto and 
commonly is.

So maybe this doesn't describe what is meant by opportunistic encryption 
and we need another term, or do we change the meaning?

Adrien






------ Original Message ------
From: "Paul Hoffman" <paul.hoffman@gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 21/11/2013 1:20:04 p.m.
Subject: Re: Getting our definitions of encryption straight for the 
HTTP/2 security discussion
>I agree that my earlier term  "authenticated encryption" would have 
>collisions with other technologies, and I updated the definitions to 
>match James' wording.

Received on Thursday, 21 November 2013 00:40:20 UTC