W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: Eliot Lear <lear@cisco.com>
Date: Tue, 27 Aug 2013 08:14:06 +0200
Message-ID: <521C43AE.8030307@cisco.com>
To: willchan@google.com
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Hi Will,

On 8/26/13 4:33 PM, William Chan (ι™ˆζ™Ίζ˜Œ) wrote:

> Great, I think we've made progress here on narrowing in on the meat of
> the discussion. I've got nothing new here other than what others have
> already said, but I'll re-emphasize a particularly point. We're
> primarily talking about http:// URIs here. Given that constraint, it's
> unclear if we want to require server authentication. I think most
> people are starting with just encryption. So while the authentication
> discussion is interesting, I'd ignore authentication for now.

I know I'm not winning an congeniality awards here for disagreeing so
much, but I wouldn't entirely ignore authentication.  As you browser
folk know, you may have retained a lot of information about the server. 
Some of that information might involve the identity of the server, which
is really what is at issue here.  Making use of that would be good, but
I don't know if it can be done properly on port 80 in a standard, unless
of course you happen to have a published DNS record with capabilities. 
It opens up a whole can of worms about whether example.com:80 and
example.com:someotherportrunningSSL are equivalent.

It's also not the most elegant idea I've ever had, I must say.

Eliot
Received on Tuesday, 27 August 2013 06:14:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC