Re: The TLS hammer and resource integrity

I'd like to add low-power use cases (e.g. sensor networks) to that, as 
well, where the overhead of TLS is a non-trivial issue both in CPU time 
and battery power.

I maintain that if we try forcing TLS in HTTP 2.0, many people will 
complain, and then fork their own versions of HTTP 2.0 without TLS. Best 
case scenario is a single sensible standard that models HTTP without 
TLS, more likely we'll end up with 2-3 subtly incompatible versions and 
a huge stack of workarounds to hold the mess together.

Ross

On 28/03/2012 08:21, Poul-Henning Kamp wrote:
> Everything, that is, except performance and choice. There is no way to 
> get around that mandatory TLS is overkill in many high-volume 
> applications, most notably p0rn. If you want to kill HTTP/1.1, you 
> have to make HTTP/2.0 a good idea for the 50% of web traffic 
> consisting of pink bits. Second, there are places where TLS is simply 
> not a good idea, either because other security measures are in place, 
> or because transparency is specifically called for (Think: Flight 
> Recorder). 

Received on Wednesday, 28 March 2012 08:48:55 UTC