Re: Rough minutes from Peter Lepeska on 2013-11-09 (ietf-http-wg@w3.org from October to December 2013)

From: Peter Lepeska <bizzbyster@gmail.com>
Date: Sat, 9 Nov 2013 16:04:28 -0500
To: Yoav Nir <ynir@checkpoint.com>
Cc: Tim Bray <tbray@textuality.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CANmPAYHgeNNc1=2XGfbxbbUb8Oy-n+cKbOuN5ysbduF-9HSP+g@mail.gmail.com>

I never did understand option #3. What is opportunistic encryption with
authentication? I thought opportunistic encryption is TLS-relaxed, which is
encryption without server authentication.

Also, I think  the choices are different for HTTP 1 and 2 b/c HTTP/2.x
doesn't involve a performance trade-off.

For HTTP 1.x, the only realistic choice (assuming do nothing is off the
table) in my opinion is:
1) Add support for TLS-relaxed in HTTP/1.x web servers and browsers but
make it OFF by default. Performance impact is too great for HTTP 1.x so
many deployments will not want this.

For HTTP 2.x, I believe the choices are:
1) Add support for TLS-relaxed in HTTP/2.x web servers and browsers but
make it ON by default.
2) Require Full TLS in HTTP 2.x.

Peter

On Tue, Nov 5, 2013 at 9:17 PM, Yoav Nir <ynir@checkpoint.com> wrote:

>  And #2 was only slightly stronger.
>
>  On Nov 5, 2013, at 6:08 PM, Tim Bray <tbray@textuality.com>
>  wrote:
>
>  I would have said the weakness of the #3 and #4 hums was very, very
> close.
>
>
> On Tue, Nov 5, 2013 at 4:41 PM, Mark Nottingham <mnot@mnot.net> wrote:
>
>> … are up at:
>>
>> http://trac.tools.ietf.org/wg/httpbis/trac/browser/wg_materials/ietf88/minutes.txt
>>
>> Cheers,
>>
>>
>> --
>> Mark Nottingham   http://www.mnot.net/
>>
>>
>>
>>
>>
>
>
> Email secured by Check Point
>
>
>

Received on Saturday, 9 November 2013 21:04:55 UTC