W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: null ciphers in 9.2.2

From: Greg Wilkins <gregw@intalio.com>
Date: Wed, 1 Oct 2014 09:36:08 +1000
Message-ID: <CAH_y2NHk-eeLnjCBV0=XuMgLnHfJZRUb6PuZLAMTygq30HY6CQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 1 October 2014 06:34, Martin Thomson <martin.thomson@gmail.com> wrote:

> Would you like to make an argument for integrity-only for
> opportunistic security?  I can't imagine any argument that I'd find
> compelling, but am always willing to be surprised.
>

I've been writing a HTTP server for 20 years and in that time I have
continued to be surprised and then surprised again by the incredible varied
and lateral uses that the protocol has been put to in all manner of
situations.

Just because we cannot imagine why something would be done today does not
mean there will not be a use for it tomorrow.

Sure strong encryption is a good thing to have of today's public networks,
but there may be all manner of surprising deployment modes that come out in
the future that wish to use TLS, but not with a 9.2.2 compliant cipher.

9.2.2 attempts to avoid surprises by suppressing innovation.  It fails to
recognise that some surprises are pleasant surprises.

Let's not limit the usage of this protocol by the limit of our imaginations.



-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.
Received on Tuesday, 30 September 2014 23:36:37 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC