W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Question regarding perfect forward secrecy in http 2.0

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 03 Aug 2013 11:42:38 +1200
Message-ID: <51FC43EE.60505@treenet.co.nz>
To: ietf-http-wg@w3.org
On 3/08/2013 10:56 a.m., David Morris wrote:
> No No No ... unless there is a viable spec for intermediaries which
> can be known to the user and provide services.
>
> It isn't our role as the IETF to take what I believe is a political
> position by insisting all traffic be encrypted. Nor is it our role
> to insist on the additional deployement expense related to providing
> full encryption as the cost of entry.

Carsten,
   The WG charter had a key requirement to make HTTP/2 operate over the 
same infrastructure used for HTTP/1. That necessarily means HTTP/2 needs 
to be an open protocol which can be delivered over both secured (TLS) 
and non-secured (TCP) mediums.
  * TLS provides the requirements for perfect forward secrecy *if* used 
that way.
  * The application-layer transactions and payloads being delivered are 
free to contain any additional security required beyond what TLS offers 
(ie DRM-like encryption features on the payload).

The existing HTTP/1 infrastructure already provides perfect forward 
secrecy in the same ways. The problem is just that almost nobody is 
using it, and those who are often choose partial secrecy over perfect.

Amos

> On Fri, 2 Aug 2013, Carsten Kr?ger wrote:
>
>> Hello,
>>
>> first of all sorry for not knowing what happend before in discussion
>> of http 2.0.
>>
>> Is it still possible to change the http 2.0 draft in a way that
>> all traffic is encrypted?
>> I'd like to suggest perfect forward secrecy encryption even if proper
>> authentication is not possible or wished.
>>
>> http2:// is ALWAYS pfs encrytped
>> https2:// is ALWAYS pfs encrytped and server authenticated
>>
>> pfs encryption should be not an option but the default for everyone
>> that uses http2.
>>
>> At present time (PRISM, tempora etc.) it should be the goal to prevent
>> passive sniffing of traffic.
>>
>> greetings
>> Carsten
>>
>>
Received on Friday, 2 August 2013 23:43:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC