W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: Salvatore Loreto <salvatore.loreto@ericsson.com>
Date: Sun, 25 Aug 2013 22:07:57 +0200
Message-ID: <521A641D.1010304@ericsson.com>
To: <ietf-http-wg@w3.org>
so now I have a question
if one of the reasons to use encryption is to let the bytestreams 
traverse the networks without modifications
why don't just sign them instead that encrypt them?


On 8/25/13 9:09 PM, Roberto Peon wrote:
> Remember that encryption != security.
> Part of the reasons to use encryption have nothing to do with 
> security, but rather reliability-- encrypted bytestreams traverse the 
> network without modification far more successfully.
> There should be no reason that the client shouldn't be able to request 
> this more reliable channel when the URL is HTTP.
> As far as I understand, this is what we're talking about-- the 
> client's ability to request an encrypted channel for HTTP urls.
> -=R
> On Sun, Aug 25, 2013 at 11:46 AM, Eliot Lear <lear@cisco.com 
> <mailto:lear@cisco.com>> wrote:
>     Will,
>     On 8/25/13 5:29 PM, William Chan (ι™ˆζ™Ίζ˜Œ) wrote:
>>     Another key distinction is encryption does not require
>>     authentication, so a proper cert is not mandatory. I'm surprised
>>     you mention requiring a proper cert given that you clearly
>>     understand a proper cert isn't necessary, given your reply to
>>     Yoav below. I think it's worthwhile to discuss the asserted
>>     benefit, but any statement about the current proposal requiring
>>     proper certificates sounds factually incorrect as far as I can
>>     tell. Did I miss something here?
>     Possibly you did or possibly I did.  I have two specific issues
>     with anonymous encryption:
>     1.  The threat it is addressing may be better dealt with at other
>     layers; and
>     2.  It is often sold as more than it is.
>     As I wrote, I do like the idea of DANE + DNSSEC and then expanding
>     on that.  Got code for that?  If it's real privacy (not just
>     encryption) then I'd probably be convinced (there is a matter of
>     responsibility, but I think  DANE + DNSSEC could get us there, as
>     can certs from credible CAs).
>     And just for the record:
>>     Yes, the proposal is that it is mandatory for the server to
>>     implement and offer encryption.
>     That is in fact my objection, particularly the "offer" part.  You
>     seem to be assuming (forgive me if you are not) that many
>     implementations small and large AND many deployments small and
>     large will do a whole lot of work for that offer where past
>     experience shows that they won't, but rather that it will in fact
>     hinder implementation and deployment of the rest of HTTP2.  There
>     is an obvious question about the goals for HTTP2...
>     Eliot

Salvatore Loreto, PhD
Received on Sunday, 25 August 2013 20:08:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC