Re: Moving forward on improving HTTP's security

Hi list!

I only just heard about this discussion now, and so I signed up on the list.

I strongly urge the HTTP working group and the IETF (if that's a different entity) to not rush this and allow more time for feedback from the internet community.

The IETF is not the internet, and I assure you that there are a lot of people out there working on various solutions independently. They have valuable ideas to share, and feedback to offer. I think it's worth giving them a chance to speak before declaring something "HTTP 2.0".

What I have read so far of the suggestions here leads me to think the ideas are still very immature.

Correct me if I'm wrong, but is "HTTP/2.0" still using today's PKI/CA system?

If so, it is not worthy of the "2.0" designation, as any system that preserves this broken system does not provide any meaningful security guarantees.

Kind regards,
Greg Slepak
Tao Effect, LLC

Please do not email me anything that you are not comfortable also sharing with the NSA.

On Nov 13, 2013, at 9:04 AM, Bjoern Hoehrmann <> wrote:

> * Mark Nottingham wrote:
>> Your understanding of what happened seems like itís different than the 
>> other people who Iíve spoken to. Regardless of that, however, we donít 
>> need to discuss every option at physical meetings; we need to discuss 
>> them on the list. Thatís whatís happening now.
> As I understand your message, the discussion is over, the decision has
> been made. That is what various news media are reporting and what is
> implied by your use of language like "revisit this decision". If your
> purpose was not to record that the subject matter has received due
> consideration on the mailing list and has now been decided and closed,
> and just meant to make a proposal, then you should clarify accordingly.
> -- 
> BjŲrn HŲhrmann ∑ ∑
> Am Badedeich 7 ∑ Telefon: +49(0)160/4415681 ∑
> 25899 DagebŁll ∑ PGP Pub. KeyID: 0xA4357E78 ∑ 

Received on Wednesday, 13 November 2013 14:21:12 UTC