- From: Patrick McManus <pmcmanus@mozilla.com>
- Date: Wed, 18 Jul 2012 11:15:13 -0400
- To: Eliot Lear <lear@cisco.com>
- Cc: Mike Belshe <mike@belshe.com>, Willy Tarreau <w@1wt.eu>, Phillip Hallam-Baker <hallam@gmail.com>, Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, 2012-07-18 at 15:56 +0200, Eliot Lear wrote: > Mike, > > On 7/18/12 8:54 AM, Mike Belshe wrote: > > > Show me the user that will stand up and say, "Yes, I would like my > > communications to be snoopable and changeable by 3rd parties without > > my knowledge." > > > > This is a red herring. The real argument is around the ability of all > web servers to get certificates that the browser will / should trust, > or using a means of trust that doesn't require certificate chains. > [..] Your point is incredibly important, is absolutely intertwined, and deserves lots of attention. I feel like focus in that area is building but there is nothing to show for it yet. However, its not an inherently unsolvable problem and thus I really disagree with the "red herring" claim. Transport security needs to be used more widely and we also need to make the transport security work better. I don't think that means throwing away TLS (or even the way PKI is managed) in favor of something else, but I'm open to a different strategy that achieves the same goals. I think everyone is.
Received on Wednesday, 18 July 2012 15:15:55 UTC