Re: HTTP/2.0 draft, NPN/ALPN, and TLS

On 10/12/13 18:11, Martin Thomson wrote:
> On 9 December 2013 23:31, Chris Burdess <dog@gnu.org> wrote:
>> But, as I said before, the place that we want to end up is with the
>> confidentiality (and authentication) layer being provided by IPsec, and
>> TLS deprecated.
> 
> I'm not sure that this premise has been agreed.

If you don't agree with this, I can think of only 3 reasons:

1. you think that the application layer is better than the transport
layer to secure the connection
2. you think that the connection should be secured both at the transport
layer and at the application layer (double encryption)
3. you think that the connection should not be secured at all

I don't believe that you think 3, since you have argued in favour of TLS.

Regarding 2, this is redundant, requires considerably more effort, and
I'm not sure exactly what you might think the benefits are.

Regarding 1, we could weigh up the benefits of each side:

Pro transport layer:
- all application layer protocols benefit without having to design in
anything special for them (transparency)
- can secure UDP as well as TCP connections
- IPsec can secure more of the packet envelope than TLS or any other
application level system
- doesn't require PKI (which can be a vulnerable point)

Pro application layer:
- TLS is better known
- TLS supports NAT traversal at the protocol layer (maybe not really an
issue with IPv6)
- ISPs might charge more to support IPsec since it is seen as a B2B feature
- can do user-level (as opposed to endpoint-level) authentication,
although typically this is done within the particular application
protocol as well

Perhaps there are other salient issues not listed here. On balance of
the above, to me it looks like the transport layer is a head ahead.

Received on Wednesday, 11 December 2013 11:24:00 UTC