W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Getting our definitions of encryption straight for the HTTP/2 security discussion

From: Adrien de Croy <adrien@qbik.com>
Date: Thu, 21 Nov 2013 01:23:14 +0000
To: "Paul Hoffman" <paul.hoffman@gmail.com>
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <em89494095-c018-4998-9ea0-5fc8f19b127b@bodybag>

we may be missing a case from the list then.

If crypto is going to be truly a choice of the server operator whether 
they will deploy it etc, then the protocol would need to support:

* advertisement by server (or not)
* choice by client (or not)

E.g. basically the same as STARTTLS works today (which we have a fairly 
good amount of experience with).

Whether a client would choose crypto if advertised I would imagine 
should be a choice of the user.  Whether crypto is offered is a choice 
of the server operator.

Adrien


------ Original Message ------
From: "Paul Hoffman" <paul.hoffman@gmail.com>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>; 
"ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 21/11/2013 2:04:22 p.m.
Subject: Re: Getting our definitions of encryption straight for the 
HTTP/2 security discussion
>You are right that the examples of STARTTLS do not match the 
>definition; I'll remove them. What is important for the definition is 
>that "opportunistic" match what it means in other protocols in the 
>IETF, and I believe that almost always is "try even if you weren't 
>asked to".
>
>
>On Wed, Nov 20, 2013 at 4:40 PM, Adrien de Croy <adrien@qbik.com> 
>wrote:
>>
>>Hi Paul
>>
>>not sure I like much the text for the opportunistic.
>>
>>STARTTLS in SMTP/IMAP works by the server firstly advertising 
>>availability of encryption.  This would only trigger a client to 
>>actually ask for it only if the client were so configured.  In many 
>>mail clients for instance, this won't actually cause any encryption to 
>>happen at all with default config.  So there's no contract about 
>>making any best effort to achieve crypto.  It can be no effort and no 
>>crypto and commonly is.
>>
>>So maybe this doesn't describe what is meant by opportunistic 
>>encryption and we need another term, or do we change the meaning?
>>
>>Adrien
>>
>>
>>
>>
>>
>>
>>------ Original Message ------
>>From: "Paul Hoffman" <paul.hoffman@gmail.com>
>>To: "Manger, James H" <James.H.Manger@team.telstra.com>
>>Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
>>Sent: 21/11/2013 1:20:04 p.m.
>>Subject: Re: Getting our definitions of encryption straight for the 
>>HTTP/2 security discussion
>>>I agree that my earlier term  "authenticated encryption" would have 
>>>collisions with other technologies, and I updated the definitions to 
>>>match James' wording.
>
Received on Thursday, 21 November 2013 01:22:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC