- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Sat, 03 Aug 2013 11:42:38 +1200
- To: ietf-http-wg@w3.org
On 3/08/2013 10:56 a.m., David Morris wrote: > No No No ... unless there is a viable spec for intermediaries which > can be known to the user and provide services. > > It isn't our role as the IETF to take what I believe is a political > position by insisting all traffic be encrypted. Nor is it our role > to insist on the additional deployement expense related to providing > full encryption as the cost of entry. Carsten, The WG charter had a key requirement to make HTTP/2 operate over the same infrastructure used for HTTP/1. That necessarily means HTTP/2 needs to be an open protocol which can be delivered over both secured (TLS) and non-secured (TCP) mediums. * TLS provides the requirements for perfect forward secrecy *if* used that way. * The application-layer transactions and payloads being delivered are free to contain any additional security required beyond what TLS offers (ie DRM-like encryption features on the payload). The existing HTTP/1 infrastructure already provides perfect forward secrecy in the same ways. The problem is just that almost nobody is using it, and those who are often choose partial secrecy over perfect. Amos > On Fri, 2 Aug 2013, Carsten Kr?ger wrote: > >> Hello, >> >> first of all sorry for not knowing what happend before in discussion >> of http 2.0. >> >> Is it still possible to change the http 2.0 draft in a way that >> all traffic is encrypted? >> I'd like to suggest perfect forward secrecy encryption even if proper >> authentication is not possible or wished. >> >> http2:// is ALWAYS pfs encrytped >> https2:// is ALWAYS pfs encrytped and server authenticated >> >> pfs encryption should be not an option but the default for everyone >> that uses http2. >> >> At present time (PRISM, tempora etc.) it should be the goal to prevent >> passive sniffing of traffic. >> >> greetings >> Carsten >> >>
Received on Friday, 2 August 2013 23:43:07 UTC