W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: 陈智昌 <willchan@google.com>
Date: Mon, 26 Aug 2013 22:33:24 +0800
Message-ID: <CAA4WUYgZG3kUb++xBGoaCpFmF4QnHGA41ZrqDAbd=hwAfB_vEw@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Mon, Aug 26, 2013 at 2:46 AM, Eliot Lear <lear@cisco.com> wrote:

>  Will,
> On 8/25/13 5:29 PM, William Chan (陈智昌) wrote:
> Another key distinction is encryption does not require authentication, so
> a proper cert is not mandatory. I'm surprised you mention requiring a
> proper cert given that you clearly understand a proper cert isn't
> necessary, given your reply to Yoav below. I think it's worthwhile to
> discuss the asserted benefit, but any statement about the current proposal
> requiring proper certificates sounds factually incorrect as far as I can
> tell. Did I miss something here?
> Possibly you did or possibly I did.  I have two specific issues with
> anonymous encryption:
> 1.  The threat it is addressing may be better dealt with at other layers;
> and
> 2.  It is often sold as more than it is.

Great, I think we've made progress here on narrowing in on the meat of the
discussion. I've got nothing new here other than what others have already
said, but I'll re-emphasize a particularly point. We're primarily talking
about http:// URIs here. Given that constraint, it's unclear if we want to
require server authentication. I think most people are starting with just
encryption. So while the authentication discussion is interesting, I'd
ignore authentication for now.

I think it's definitely debatable how much benefit anonymous encryption
provides. I'm interested in having that debate. I just want to make sure
we're clear on what we're discussing (encryption, not authentication) for
http:// URIs.

> As I wrote, I do like the idea of DANE + DNSSEC and then expanding on
> that.  Got code for that?  If it's real privacy (not just encryption) then
> I'd probably be convinced (there is a matter of responsibility, but I
> think  DANE + DNSSEC could get us there, as can certs from credible CAs).
> And just for the record:
> Yes, the proposal is that it is mandatory for the server to implement and
> offer encryption.
> That is in fact my objection, particularly the "offer" part.  You seem to
> be assuming (forgive me if you are not) that many implementations small and
> large AND many deployments small and large will do a whole lot of work for
> that offer where past experience shows that they won't, but rather that it
> will in fact hinder implementation and deployment of the rest of HTTP2.
> There is an obvious question about the goals for HTTP2...

Just to be clear, I've actually not said much if anything yet on this
thread in support of mandatory to offer encryption. I've mostly tried to
clarify the discussion, since I felt that there were inaccurate/confusing
statements made earlier in the thread.

> Eliot
Received on Monday, 26 August 2013 14:33:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC