- From: James M Snell <jasnell@gmail.com>
- Date: Fri, 3 Aug 2012 15:21:40 -0700
- To: ietf-http-wg@w3.org
- Message-ID: <CABP7Rbc-3XvGV6WQfdcUf+1i4zJ3S_2GCHQzHh9ONACrxBtFSQ@mail.gmail.com>
For the purposes of discussion, I have published a rough first draft of the SPDY KEY_NEGO mechanism I discussed previously. http://www.ietf.org/id/draft-snell-httpbis-keynego-00.txt The short version is: this introduces the ability to perform key negotiation for encrypted streams *within* an established SPDY session, even if TLS is not being used to secure the connection. This is largely theoretical and experimental at this point but I have done some initial implementation to at least demonstrate (mostly for myself) that the basic idea works in theory. However, there's much that would need to be done. To answer the more immediate question: Why would we do this... the short answer is that this approach gives us a number of things that TLS currently does not.. specifically: the ability to multiplex secure and insecure traffic over a single TCP/IP connection, server-initiated security, in-stream end-to-end integrity checking, and dynamic, on-the-fly (re)negotiation of keys on the fly without having to tear down and reestablish the connection. There is much more that needs to be done to flesh this out, obviously, and I'm not yet convinced that it's a great idea. Much more experimentation and implementation would need to go into determining that, but I wanted to get the basic idea documented and out there for discussion and to get some additional eyes looking at it. As always, comments and feedback are welcomed. - James
Received on Friday, 3 August 2012 22:22:28 UTC