W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: Eliot Lear <lear@cisco.com>
Date: Sun, 25 Aug 2013 20:46:39 +0200
Message-ID: <521A510F.2020103@cisco.com>
To: willchan@google.com
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

On 8/25/13 5:29 PM, William Chan (ι™ˆζ™Ίζ˜Œ) wrote:
> Another key distinction is encryption does not require authentication,
> so a proper cert is not mandatory. I'm surprised you mention requiring
> a proper cert given that you clearly understand a proper cert isn't
> necessary, given your reply to Yoav below. I think it's worthwhile to
> discuss the asserted benefit, but any statement about the current
> proposal requiring proper certificates sounds factually incorrect as
> far as I can tell. Did I miss something here?

Possibly you did or possibly I did.  I have two specific issues with
anonymous encryption:

1.  The threat it is addressing may be better dealt with at other
layers; and
2.  It is often sold as more than it is.

As I wrote, I do like the idea of DANE + DNSSEC and then expanding on
that.  Got code for that?  If it's real privacy (not just encryption)
then I'd probably be convinced (there is a matter of responsibility, but
I think  DANE + DNSSEC could get us there, as can certs from credible CAs).

And just for the record:

> Yes, the proposal is that it is mandatory for the server to implement
> and offer encryption.

That is in fact my objection, particularly the "offer" part.  You seem
to be assuming (forgive me if you are not) that many implementations
small and large AND many deployments small and large will do a whole lot
of work for that offer where past experience shows that they won't, but
rather that it will in fact hinder implementation and deployment of the
rest of HTTP2.  There is an obvious question about the goals for HTTP2...

Received on Sunday, 25 August 2013 18:47:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC