W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

authenticated unencrypted

From: Matthew Kerwin <matthew@kerwin.net.au>
Date: Wed, 18 Dec 2013 09:50:58 +1000
Message-ID: <CACweHNAyeFbi_oB0BMnGLeDHx=xwtcchZ=F+2coaD0==yLqTjQ@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Hi, this question has been rattling around in my head for a couple of days
and I can't shake it, so I'll present it to the WG: is there any value in
offering an authenticated+unencrypted connection mode in HTTP?

It's completely aside from the everything-TLS debate (because if
everything's TLS it's already authenticated, and if authentication via
certs is expensive unenc-auth will be untenable for those people); but if
one of the opportunistic encryption proposals is encryption without
authentication, to prevent passive sniffing, would there be value in
authentication without encryption?

For example, I don't particularly need any of the CC-* content on my
website to be encrypted (it's free for everyone to read), however I'd
prefer it if a MITM couldn't modify my code snippets or misrepresent my
blog rants.  It's my understanding that decrypting the entire entity is
pretty expensive, but calculating a checksum/hash and decrypting that is
cheaper.  Is my understanding wrong?

Also, point in case, PGP-signed email messages to public(ly readable)
fora, such as this one.  Peter Saint-Andre just sent one.

Sorry if it's been covered before, I haven't found anything in the
archives.

-- 
  Matthew Kerwin
  http://matthew.kerwin.net.au/
Received on Tuesday, 17 December 2013 23:51:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC