- From: Michael Sweet <msweet@apple.com>
- Date: Sun, 25 Aug 2013 23:58:46 -0400
- To: Mike Belshe <mike@belshe.com>
- Cc: Eliot Lear <lear@cisco.com>, William Chan <willchan@google.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-id: <5E46C5CF-9EFA-47C1-B58A-208121297917@apple.com>
Mike, I might point out that HTTP/1.1 is used over non-IP transports such as USB. And I for one am hoping we can update IPP USB to use HTTP/2.0 to address the limited number of USB interfaces (endpoints) that are available in typical SoC implementations used in printers. TLS in that class of device is a non-starter (and quite frankly is not needed). On 2013-08-25, at 4:05 PM, Mike Belshe <mike@belshe.com> wrote: > > > > On Sun, Aug 25, 2013 at 11:46 AM, Eliot Lear <lear@cisco.com> wrote: > Will, > > > On 8/25/13 5:29 PM, William Chan (ιζΊζ) wrote: >> >> Another key distinction is encryption does not require authentication, so a proper cert is not mandatory. I'm surprised you mention requiring a proper cert given that you clearly understand a proper cert isn't necessary, given your reply to Yoav below. I think it's worthwhile to discuss the asserted benefit, but any statement about the current proposal requiring proper certificates sounds factually incorrect as far as I can tell. Did I miss something here? >> > > Possibly you did or possibly I did. I have two specific issues with anonymous encryption: > > 1. The threat it is addressing may be better dealt with at other layers; and > 2. It is often sold as more than it is. > > As I wrote, I do like the idea of DANE + DNSSEC and then expanding on that. Got code for that? If it's real privacy (not just encryption) then I'd probably be convinced (there is a matter of responsibility, but I think DANE + DNSSEC could get us there, as can certs from credible CAs). > > And just for the record: > > >> Yes, the proposal is that it is mandatory for the server to implement and offer encryption. > > That is in fact my objection, particularly the "offer" part. You seem to be assuming (forgive me if you are not) that many implementations small and large AND many deployments small and large will do a whole lot of work for that offer where past experience shows that they won't, but rather that it will in fact hinder implementation and deployment of the rest of HTTP2. There is an obvious question about the goals for HTTP2... > > I want to challenge your 'past experience' argument since you've said it 2 or 3 times now... > > IPv6 suffered from slow deployment for reasons unrelated to security. a) It offered little value. b) The main value it did offer was more easily implemented through NAT c) it required OS-level upgrades to install. > > HTTP/2 has none of these problems, while also having real monetary benefit. This is exactly the reason why SPDY has become the fastest deployed protocol on the internet ever - from zero to a billion+ users in about a year. With HTTP/2 have the headroom to make TLS a requirement without breaking deployment. > > Finally, implementations don't have to do "a whole lot of work". Implementing and deploying TLS is trivial these days. > > Mike > > > > > > Eliot > _________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Monday, 26 August 2013 03:59:12 UTC