- From: Christian Huitema <huitema@huitema.net>
- Date: Sun, 10 Nov 2013 16:10:34 -0800
- To: "'Yoav Nir'" <ynir@checkpoint.com>, "'Julian Reschke'" <julian.reschke@gmx.de>
- Cc: "'HTTP Working Group'" <ietf-http-wg@w3.org>, "'Peter Lepeska'" <bizzbyster@gmail.com>, "'Tim Bray'" <tbray@textuality.com>, "'Mark Nottingham'" <mnot@mnot.net>
> I just don't see why opportunistic encryption is useful for sites with a valid certificate. I think OE is needed for the 70% of websites ([1]) that don't > have a valid certificate. That's certainly an argument. But then, there are design implications. Consider the sites that do not have a valid certificate today. Is it because they don't want to pay the CA, or is it because they don't want to bother with certificate maintenance? If the argument is really about cost of managing the certificate, expiry date, etc., then the opportunistic mode should be truly "zero administration." Can we achieve that with short-lived self-signed certificates? -- Christian Huitema
Received on Monday, 11 November 2013 00:11:29 UTC