Great, I think we've made progress here on narrowing in on the meat of the > discussion. I've got nothing new here other than what others have already > said, but I'll re-emphasize a particularly point. We're primarily talking > about http:// URIs here. Given that constraint, it's unclear if we want > to require server authentication. I think most people are starting with > just encryption. So while the authentication discussion is interesting, I'd > ignore authentication for now. > > let's not ignore authentication. The PKI situation can be improved and there is no reason that http:// can't carry at least the levels of guarantees that https:// provides, modulo fear of down grade attack back to the lameness that is http/1. (so we're talking about transport level enhancements - not web level security changes re mixed content, etc..) that being said - I'm with the family on vacation this week. So please don't take my silence for lack of interest.
Received on Monday, 26 August 2013 16:11:24 UTC