I never did understand option #3. What is opportunistic encryption with
authentication? I thought opportunistic encryption is TLS-relaxed, which is
encryption without server authentication.
Also, I think the choices are different for HTTP 1 and 2 b/c HTTP/2.x
doesn't involve a performance trade-off.
For HTTP 1.x, the only realistic choice (assuming do nothing is off the
table) in my opinion is:
1) Add support for TLS-relaxed in HTTP/1.x web servers and browsers but
make it OFF by default. Performance impact is too great for HTTP 1.x so
many deployments will not want this.
For HTTP 2.x, I believe the choices are:
1) Add support for TLS-relaxed in HTTP/2.x web servers and browsers but
make it ON by default.
2) Require Full TLS in HTTP 2.x.
Peter
On Tue, Nov 5, 2013 at 9:17 PM, Yoav Nir <ynir@checkpoint.com> wrote:
> And #2 was only slightly stronger.
>
> On Nov 5, 2013, at 6:08 PM, Tim Bray <tbray@textuality.com>
> wrote:
>
> I would have said the weakness of the #3 and #4 hums was very, very
> close.
>
>
> On Tue, Nov 5, 2013 at 4:41 PM, Mark Nottingham <mnot@mnot.net> wrote:
>
>> … are up at:
>>
>> http://trac.tools.ietf.org/wg/httpbis/trac/browser/wg_materials/ietf88/minutes.txt
>>
>> Cheers,
>>
>>
>> --
>> Mark Nottingham http://www.mnot.net/
>>
>>
>>
>>
>>
>
>
> Email secured by Check Point
>
>
>