- From: Ross Nicoll <jrn@jrn.me.uk>
- Date: Mon, 26 Mar 2012 13:04:42 +0100
- To: Mike Belshe <mike@belshe.com>
- CC: ietf-http-wg@w3.org
On 26/03/2012 11:21, Mike Belshe wrote: >> >> The choice of crypto or no crypto is for the HTTP-service provider to >> decide, it is not for us to decide on their behalf. >> >> > Nobody ever said we'd take away an unsecure path. I just don't want it > to be the default. Make security opt-out rather than opt-in. > > How much global legislation about liability for accidentally leaked > information do you need before you'll believe that we have a > responsibility here? My interpretation of many of the arguments was that there should be no insecure option. I'd be happy to see a secure by default protocol with an option to force it to plain-text (or similar). I suspect if the protocol was secure-only, people would either not adopt it (and stick to HTTP 1.1) or would create their own variants with security disabled (likely resulting in multiple slightly incompatible protocols). I would consider either of these outcomes worse than letting people shoot themselves in the foot with a protocol that tries to outline the risks to them. Ross
Received on Monday, 26 March 2012 12:05:29 UTC