W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Mandatory encryption *is* theater

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 27 Aug 2013 17:22:43 +0000
To: <ietf-http-wg@w3.org>
Message-ID: <e635a4f09d16fae20ed5475afecb7390@scss.tcd.ie>

So just chiming in generally on this thread with no hats:

- I don't agree with the subject line - if done properly,
turning on encryption without authentication could be useful
and not simply theater - for example it could increase the
cost and/or complexity (and hence likelihood of discovery)
of deploying pervasive surveillance.

- Done badly of course, the outcome could be theater.

- I disagree that making better use of crypto might cause
authorities to be more authoritarian - while that might be
a reasonable position to hold for folks with a certain world
view, its entirely unconvincing. I suspect that folks with
that position cannot be convinced they are wrong and nor
can folks who don't have that position.

- I don't think this discussion should really have much to
do with earlier discussions about performance or middleboxes.
The WG had that discussion and this one is based on "new
information" as I think Mark put it.

- Some people might oversell the results of this discussion,
yes, but that's always a danger and shouldn't drive the WG

All in all, I'd like to see more use of HTTP/TLS for
confidentiality, even without origin authentication. (But
that's probably no surprise:-)

Received on Tuesday, 27 August 2013 17:23:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC