W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Proposal for doing unauthenticated encryption inside of HTTP/2

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Tue, 3 Dec 2013 09:32:37 -0800
Message-ID: <CAPik8yaMWxCoYCzcSW8Fq3oC1+=2WdpdpXdPTOwmVWd70iYuzQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Tue, Dec 3, 2013 at 9:11 AM, Martin Thomson <martin.thomson@gmail.com>wrote:

> On 3 December 2013 07:24, Paul Hoffman <paul.hoffman@gmail.com> wrote:
> > draft-hoffman-httpbis-minimal-unauth-enc
>
> I have a lot of questions, but here's a few to start with:
>
> Why headers and not frames?
>

- Could be headers or frames, as long as it is some place that is in the
control plane. That's for the grizzled HTTP/2 experts (as in, not me) to
pick.


>
> Why did you choose to submit a draft that doesn't tackle the key
> question of what is being encrypted?
>

Because the goal is to "encrypt more", and there is disagreement about what
"more" means. The WG seemed more wedged on how to encrypt than what to
encrypt. I trust the WG to resolve the latter if they figure out the former.


> Why did you choose to invent a new security protocol and not repurpose
> something like DTLS?
>

DTLS assumes a transport layer after the negotiation is done. DTLS takes
many more round trips. DTLS has the concept of authenticating the server
mostly built-in. If the WG wants DTLS, I would strongly suggest using TLS
instead.

And, this isn't inventing a new protocol: it is instantiating what is known
to be the minimum needed to get an encryption key. "Here is some key
material and a description of it; yes, that's fine, and here we go" or
"Here is some key material and a description of it; no, I'd rather use this
algorithm so here is my initial keying material; yes, that's fine, and here
we go" plus rejection messages. This is sufficient for borking passive
surveillance but not active attacks.

--Paul Hoffman
Received on Tuesday, 3 December 2013 17:33:04 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC