Re: Response to HTTP2 expresions of interest

On 07/13/2012 11:05 PM, Poul-Henning Kamp wrote:
> A much better strategy is to make these practices possible
> and detectable, so that the users know when they are subject
> to them.

It *might* be a better strategy if there were a way
to do it that didn't trivially expose the client
to just about any bad actor, or else make the client
captive to some (possibly bad) actor.

I suspect that a lot of proposals along those lines
will come a cropper like that, e.g. because they
require a client to trust some unprotected signal
from the network or else they require all clients to
have some configured entity that they'll just
believe about all this stuff.

So that's just not easily solved. Perhaps even
beyond the state of the art in the general case.
But who knows. There are many smart folks involved
here. I'll not hold my breath though to be honest.

Having said that, the earlier discussion about
having some few bits of information (host and
a new session id) in an unencrypted but perhaps
signed'MAC'd envelope sounds like it might help
with a bunch of this. So at a high level that
does sound promising.

Though I guess not for the "corporate censor"
part. I dunno what can be done about that.

Anyway, interesting challenges ahead all right!

S.

Received on Friday, 13 July 2012 22:49:27 UTC