Re: Fwd: IAB Statement on Internet Confidentiality from Mike Belshe on 2014-11-17 (ietf-http-wg@w3.org from October to December 2014)

From: Mike Belshe <mike@belshe.com>
Date: Mon, 17 Nov 2014 09:50:33 -0800
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Willy Tarreau <w@1wt.eu>, Phillip Hallam-Baker <phill@hallambaker.com>, Roland Zink <roland@zinks.de>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CABaLYCuO69CHdXNAsyGfGU-yRkr8PnZF7U5yk+vrCXkL2FTF5w@mail.gmail.com>

On Mon, Nov 17, 2014 at 9:06 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>
wrote:

> --------
> In message <20141117163914.GA14542@1wt.eu>, Willy Tarreau writes:
>
> >That's exactly what I hate in the "tls everywhere" model :
>
> I think the major mistake in "tls everywhere" is that while the
> OSI models protocols sucked, the basic idea of layering did not.
>
> IMO the HTTP/2.0 spec shouldn't mention encryption or TLS with
> a single word, making it robust for future changes in transport
> or encryption technologies and policies.
>
> By welding HTTP/2.0 to TLS (as hard as they can), the "tls everywhere"
> crowd is effectively making it harder to replace TLS with something
> better in due time.
>

This is a false claim.  An example would be HTTP binding on top of SCTP.
HTTP didn't define it, but it was defined later in a separate RFC.  It just
takes someone defining how to do it.  Obviously, you have to know what
you're binding to in order to define it.

Defining how to bind HTTP to today's leading secure transport protocol does
not detract from defining how it would be bound to future protocols,
if/when they should emerge.

Mike

>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>
>

Received on Monday, 17 November 2014 17:51:00 UTC