W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: (wrong string) 陈智昌 <willchan@chromium.org>
Date: Tue, 27 Aug 2013 19:25:51 +0800
Message-ID: <CAA4WUYhPmTLHQa6DdGrVqxUjTwATBdSeqL-feATubfv66brZxw@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Eliot Lear <lear@cisco.com>
On Aug 27, 2013 6:37 PM, "Poul-Henning Kamp" <phk@phk.freebsd.dk> wrote:
>
> In message <CAA4WUYgn5jgTojch=Z7Kv=
BONLzrwtyyjkuhHCkZ_FgnKE231Q@mail.gmail.com>, =?UTF-8?B?V2lsbGlhbSBDaGFuIC
> jpmYjmmbrmmIwp?= writes:
>
> >> >I agree authentication would be nice to have,
> >> >but I think it's unfair to criticize mandatory to offer *encryption*
> >> >because of authentication.
> >>
> >> When you say "encryption", do you mean "privacy" ?
> >
> >I mean encryption, because that's AIUI what mnot hinted at in his Berlin
> >presentation.
>
> That answer doesn't really help me any...
>
> In the email I cited, you used "encryption" as something apart from
> "authentication" and that left (at least) me confused about what
> the heck you were talking about ?

Sorry, let me clarify with an example: a TLS connection to a server
presenting a self-signed cert. It's encrypted, but the server is not
authenticated. Does that clarify matters?

>
> Referencing mnot's slides doesn't really help me there...
>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by
incompetence.
Received on Tuesday, 27 August 2013 11:26:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC