Re: Mandatory encryption

No what is being said is.

a) Privacy is a requirement in certain applications
b) Mandating confidentiality does not guarantee privacy
c) Mandating one particular approach to confidentiality does not
guarantee privacy
d) The proposed approach is only designed to meet a specific set of
e) The cost of doing it right is greater than many implementations will bear

I am all for TLS, our business depends on it.

I have demonstrated a use case where encryption MUST NOT be used. Can
anyone show me a Web browser that does not support TLS? I don't think
there is one.

I am also all for being pro-user except when there are no users which
is actually a major set of use cases for HTTP/1.1.

Also note that the mere presence of a mandate in an IETF spec isn't
worth the paper it is not written on. NO browser that is in use today
implements PKIX according to the spec and no browser provider intends
to comply unless the spec is changed. I can't see how a TLS mandate
would be any more successful.

On Wed, Jul 18, 2012 at 11:09 AM, Tim Bray <> wrote:
> On Wed, Jul 18, 2012 at 6:56 AM, Eliot Lear <> wrote:
>>> Show me the user that will stand up and say, "Yes, I would like my
>>> communications to be snoopable and changeable by 3rd parties without my
>>> knowledge."
>> This is a red herring.  The real argument is around the ability of all web
>> servers to get certificates
> This pattern keeps coming up.
> A: “Privacy is good”
> B: “No, because the technology is currently too expensive/unreliable”
> Uh... privacy is good.  -T


Received on Wednesday, 18 July 2012 16:02:52 UTC