W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: Call for Adoption: Encrypted Content Encoding

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 3 Dec 2015 08:05:00 +1100
Cc: Cory Benfield <cory@lukasa.co.uk>, ietf-http-wg@w3.org
Message-Id: <6AAACFDE-DB86-43F8-87FC-80324950A79F@mnot.net>
To: "Walter H." <walter.h@mathemainzel.info>
Walter (et al),

This discussion seems to be repeating the same arguments, without much progress. You don't see value in this draft, but many others have expressed support for it and its use cases.

Unless you have new information, I'd suggest we move on.

Cheers,


> On 3 Dec 2015, at 2:34 am, Walter H. <walter.h@mathemainzel.info> wrote:
> 
> On 02.12.2015 16:04, Cory Benfield wrote:
>>>> What I also said is that it reduces or removes certain other attack surfaces.
>>> please be concret here, I don't see any reduction or removing of certain other attack surfaces;
>> Sure. This drastically reduces the likelihood of intermediaries replacing a legitimate payload with a malware-ridden one,
> why should  this be true?
> you've forgotten something essential: anything in this draft can also be faked by intermediaries ..., so where is the guarantee the PDF or whatever is the real one you expect?
> 
> this should be enough to see, that this is ONLY an increase of the attack vector, and nothing else;
> 
> your example with PDF and bank: when this occurs we have another problem, which can't be prevented by this draft nor by something else ...
> 
> we should be realistic: an increase of attack vector and no new features is no useful use case; it is reason enough to destroy this draft;
>>>> The reason we shouldn’t destroy this draft is because this draft doesn’t “only helps increasing the attack vector”.
>>> let it me say in other words; I don't see any feature which is new and we hadn't already before …
>> That cannot be accurate: you’ve just discussed some.
> from the view of malware ...; from the view of good-ware there is no new feature, which already exists as alternative before;
> encrypted .rar/.zip archives as example;
> 
> 

--
Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 2 December 2015 21:05:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC