- From: Eliot Lear <lear@cisco.com>
- Date: Wed, 18 Jul 2012 07:52:59 +0200
- To: Paul Hoffman <paul.hoffman@gmail.com>
- CC: grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Paul, I understand Mike's logic for using TLS. I'm even sympathetic. But care must be taken, nevertheless not to make things worse. That is in fact possible if it means that everyone will get inured to browser indications about validity of certificates. Therefore, a prerequisite is a means to do so that doesn't reduce the value of browser indications of a secure or insecure connection. DANE could play a role as could non-CA based encryption, but we ought to have clear answers for that FIRST. Eliot On 7/18/12 2:51 AM, Paul Hoffman wrote: > +1 to what seems to be a lot of developers: make TLS mandatory. > >> so, even when used in an internal application protocol, it's going to >> be end to end >> encrypted to make it super hard to debug? > In an internal application protocol, why would it be "super hard to > debug"? The client can do an HTTP dump before TLS, the server can do > an HTTP dump after TLS; either of the sides could debug the TLS. > >> http is about more than users using >> web browsers. > Completely true, and not relevant. Insecure HTTP for non-browser > applications still has the same bad properties, no? > > >
Received on Wednesday, 18 July 2012 05:53:27 UTC