- From: Phillip Hallam-Baker <hallam@gmail.com>
- Date: Wed, 18 Jul 2012 09:41:57 -0400
- To: Patrick McManus <pmcmanus@mozilla.com>
- Cc: Mike Belshe <mike@belshe.com>, Willy Tarreau <w@1wt.eu>, Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Jul 18, 2012 at 9:06 AM, Patrick McManus <pmcmanus@mozilla.com> wrote: > On Tue, 2012-07-17 at 23:54 -0700, Mike Belshe wrote: > > >> Show me the user that will stand up and say, "Yes, I would like my >> communications to be snoopable and changeable by 3rd parties without >> my knowledge." As has been mentioned before, embedded systems, real time control. The operators of a nuclear power plant want to have strong authentication on every connection but they do not want the communications to be encrypted. That is a very common requirement in that field. They don't want any code that is not absolutely necessary. Confidentiality is a low concern, integrity is a high concern. I sell crypto for a living. I am also one of the developers of HTTP/1.0. The people pushing this particular mandate do not understand either in my view. Crypto isn't a magic wand that you can wave and get 'security'. Security is risk management and to do that you have to have an understanding of the application area. HTTP was always intended to be used in more than just browsers. It was intended as a replacement for FTP as well. It was intended as a transport layer for Web Services (the name is recent, the idea dates back to my work in 1993, or earlier). -- Website: http://hallambaker.com/
Received on Wednesday, 18 July 2012 13:42:37 UTC