- From: 陈智昌 <willchan@chromium.org>
- Date: Mon, 26 Aug 2013 21:24:20 +0800
- To: Eliot Lear <lear@cisco.com>
- Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-ID: <CAA4WUYhEj3=pcU=uM2LpFBQUzzk6ta5r-TDNiXmgus50RoB0NA@mail.gmail.com>
I went to http://tools.ietf.org/wg/httpbis/minutes?item=minutes-83-httpbis.html to look up the Paris minutes and didn't find anything about this. Can you state for my benefit what was rejected in Paris as I don't recall? I'm confused about the relation between new feature deployment and downgrade attacks. Downgrade suggests an active attacker, right? The protocol deployment issue isn't about attacks, but rather intermediaries choking on things they don't expect. On Mon, Aug 26, 2013 at 6:02 PM, Eliot Lear <lear@cisco.com> wrote: > Hi Mark: > > > We have a lot of things to discuss around what that profile looks like; > e.g., whether cert validation should take place. Since the negotiation > mechanism itself is vulnerable to a downgrade attack, and since HTTP URIs > don't have a strong security semantic, it may be reasonable to assume that > certs for HTTP URIs shouldn't be validated -- which would ease deployment > considerably. Like I said, though, there will need to be a lot of > discussion. > > And we discussed this in Paris and rejected it for all the reasons we > are now revisiting. And in Paris what we discussed was the fact that > this will not solve Mike and Roberto's new feature deployment problem on > port 80, precisely because of the downgrade attack issue. The other > issue left is the Starbucks snooping problem, and I still claim that is > better addressed at other layers. Finally there is the snooping that > goes on in the middle of the network, which you raised at the meeting. > I don't think this will solve that problem either, but it may cause > middlebox vendors to sell some additional features to their service > providers, based on government mandates. > > I would suggest that a better focus is still honest-to-goodness easing > of end-to-end authentication issues. This is where the hard work needs > to happen, and it will also facilitate dealing with the fundamental > issues you've raised concerns about. This, to me, is the high order bit. > > Eliot >
Received on Monday, 26 August 2013 13:24:48 UTC