W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Kyle Rose <krose@krose.org>
Date: Tue, 1 Dec 2015 11:33:58 -0500
Message-ID: <CAJU8_nUzpvO7+h6haEQfNBLvXjtYZ2cQ+pQyhyh5ubDACHi11Q@mail.gmail.com>
To: roland@zinks.de
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Amos Jeffries <squid3@treenet.co.nz>
>> TLS is also end-to-end
> That is a false statement.
> TLS is point-to-point. There is no requirement in TLS that point-B on
> the conection be the origin server.

Perhaps the confusion lies in the fact that end-to-end vs.
point-to-point, taken literally, depends on how you're defining your
endpoints? TLS is end-to-end if you consider the endpoints of the TCP
connection to be the two ends. But I'd argue that this interpretation
renders the two concepts meaningless. E2E vs. P2P in a security
context imply things other than what the phrases literally mean.

One of the distinguishing characteristics of end-to-end encryption in
my experience is that the payload/data stream can be time-shifted
without affecting the ability for authorized users to decrypt the
data: TLS, with forward secrecy, clearly does not have this
characteristic. Another characteristic is that the payload is
encrypted and decrypted offline, i.e., without any online handshake
between the sender and the recipient: again, TLS is explicitly
designed in a way that this is not possible. End-to-end also implies
the ability for (though not the necessity of) many recipients, rather
than one-to-one communication: TLS also fails this test.

Frankly, in myriad discussions over many years with lots of different
people, this is the first time I've encountered confusion about the
two concepts. It's almost hard to believe we're arguing about this.

Received on Tuesday, 1 December 2015 16:34:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC