W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: Roberto Peon <grmocg@gmail.com>
Date: Sun, 25 Aug 2013 00:14:36 -0700
Message-ID: <CAP+FsNf9J53gdC7TgcZEth1Bcq8iZUG=ptGukdeVyVepRYh80g@mail.gmail.com>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Salvatore, that is also my recollection: To enable to client to require
encryption of the server for HTTP when it so desires and so introduce
symmetry in the negotiation between client/server w.r.t. encryption, but
there was no mention of requiring it for everything.


On Sun, Aug 25, 2013 at 12:10 AM, Salvatore Loreto <
salvatore.loreto@ericsson.com> wrote:

> I don't think we were questioning the possibility to speak between client
> and server
> without any encryption if both parties agree to speak in clear (i.e. TLS
> is not mandatory to use)
>
> The hum, at least how I understood it, was only in favor to investigate a
> way to provide
> from one side equal power to the client:
> i.e. to provide to the client the possibility to require/negotiate the use
> of encryption;
> and from the other side provide to the client the possibility to discovery
> the interposition
> and then eventually interact with that proxy in between.
>
> Having said that I agree with Eliot that solving everything just saying
> lets use TLS
> is a theater, instead we should work on a way to authenticate endpoints,
> proxies,
> how to provide data integrity etc.
>
>
> /Salvatore
>
> --
> Salvatore Loreto, PhD
> www.sloreto.com
>
>
>
>
> On 8/25/13 8:16 AM, Eliot Lear wrote:
>
>> Mark,
>>
>> Regarding the minutes of the group, the working group declined to
>> mandate encryption for a number of reasons, not just back end services.
>> What I said the last time, was that we can damage overall Internet
>> security by inuring people to certificate warnings  or we will inhibit
>> adoption of HTTP2  unless the mechanisms to manage certificates
>> improve.  In addition many thousands of small devices exist without a
>> simple means to enroll  and pay.  Even if they do enroll  and pay, the
>> current certificate mechanisms require that they re-enroll - and pay.
>> And so they don't.  There simply is no magic bullet.  The economics are
>> clear.  The means to encrypt has existed nearly two decades.   Mandating
>> encryption from the IETF has been tried before  specifically with IPv6
>> and IPsec.  If anything, that mandate may have acted as an inhibitor to
>> IPv6 implementations and deployment and served as a point of ridicule.
>>
>> And so, I do not agree with those who hummed in favor of mandatory
>> encryption.  HTTP2 is already very complex and is biting off enough.
>> The more it bites off the less likelihood of broad adoption.  We've seen
>> this movie before.  What we will have instead of HTTP/2 will be an
>> optional alternative to HTTP/1.1 that is deployed by large scale high
>> performance services.  Maybe that was always the goal, but if so, let's
>> recognize that and relabel.  I was under a different impression.
>>
>> If we wish to explore new means to authenticate endpoints, that would be
>> a better starting point.
>>
>> Eliot
>>
>>
>>
>>
>
>
Received on Sunday, 25 August 2013 07:15:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC