Re: Response to HTTP2 expresions of interest

On Fri, Jul 13, 2012 at 05:37:23PM +0000, Poul-Henning Kamp wrote:
> In message <CAMm+Lwgr1cnM3-iz_quKhN9N_dS1d6qdv26kSvKZ+T_Hr9L+hw@mail.gmail.com>
> , Phillip Hallam-Baker writes:
> 
> >5a) The TLS-HTTP gap
> >
> >Now as far as HTTP is concerned, headers have security implications
> >and so HTTP is not going to be acceptably secure without either
> >transport layer or packet layer security. 
> 
> I disagree.
> 
> What HTTP lacks is a clear distinction between "envelope" and "body"
> the way SMTP and NNTP have it.
> 
> HTTP/2.0 would enable a lot more sites to run with cryptographic
> security, if there were an unprotected envelope for load-balancers
> to act on.
> 
> I also think it should be possible to mix protected and unprotected
> requests on the same TCP session.

+1 on all these points !

Also, in some environments, the need for clear-text but signed exchanges
is common in order to avoid tampering and to ensure transported data is
safe. As amazing as it may seem, I first noticed this requirement in
banking environments. There are places like this where most of the
transported data has no direct user information but needs to be easy to
control and process. In all these situations, dealing with a clear-text
envelope is by far the best solution.

Willy

Received on Friday, 13 July 2012 17:54:02 UTC