Re: Discussion of Mandatory TLS in HTTP/2.0

On 19 July 2012 13:55, Mark Nottingham <mnot@mnot.net> wrote:
> Finally, I'd encourage everyone to carefully read BCP61 <http://tools.ietf.org/html/bcp61> (hat tip to the Security ADs), as it embodies IETF policy in this area, and will doubtless guide our decisions here.

A paragraph of note in BCP61 is:

  7. MUST is for Implementors
     We often say that Security is a MUST implement.  It is worth noting
     that there is a significant different between MUST implement and MUST use.

I do think there are good arguments to make to say that browsers MUST
use confidentiality mechanism  - I just don't think that we really
want to get bogged down in debating those arguments here.
We should endeavour to make HTTP/2.0 work well for both encrypted and
clear text connections (and there is work to do to achieve that).

Also I would assume that the inverse of 7 also applies.  Just because
we implement clear text connection does not mean that users MUST use
them.  Specifically the browser/server/service vendors should be able
to choose not to use clear text connections (or at least make their
usage difficult and non default).  This would achieve a more
confidential web, but would not require that all HTTP traffic be
encrypted.

The analogy that I see is that cell phone traffic used to be
transmitted in the clear.  It is now encrypted by default, but only
when broadcast and there is no mandate that we keep the audio
confidential when we send it over the wires to our headset or when it
is bridged onto a PSTN.

regards


-- 
Greg Wilkins <gregw@intalio.com>
http://www.webtide.com
Developer advice and support from the Jetty & CometD experts.

Received on Friday, 20 July 2012 07:39:17 UTC