Re: Moving forward on improving HTTP's security from Peter Lepeska on 2013-11-13 (ietf-http-wg@w3.org from October to December 2013)

From: Peter Lepeska <bizzbyster@gmail.com>
Date: Wed, 13 Nov 2013 11:25:46 -0500
To: Mark Nottingham <mnot@mnot.net>
Cc: "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CANmPAYHQSdo19U+-VeywkhA3L-GuE4e6Shhi8ouAY_am5JWyGQ@mail.gmail.com>

I'd like to see the group hold off on making this decision until we've also
come up with an agreed upon way for proxies to function in an HTTP2, all
TLS Internet. Without it we're essentially requiring proxies to do MITM to
function. Is this increasing security?

Peter


On Wed, Nov 13, 2013 at 10:59 AM, Mark Nottingham <mnot@mnot.net> wrote:

> Hi Julian,
>
> On 13 Nov 2013, at 9:33 pm, Julian Reschke <julian.reschke@gmx.de> wrote:
>
> >> As a result, I’m making an informed judgement call, based upon
> discussions so far and the options available to us. I do not do so lightly,
> and have been in active consultation with many of those it will affect, as
> well as IETF leadership. If that call is wrong, I’m confident that the WG
> will correct it, but again, that is *not* voting.
> >
> > Well, your mail makes it sound as if a decision already has been made,
> and that you're willing to revisit it if the WG pushes back. That's
> different from making a *proposal*, discuss it over here (and maybe *then*
> make a decision).
>
> I would put it differently. I see only one viable path forward at this
> point in time, based upon the myriad constraints we face. If another
> becomes available, of course we will consider it.
>
> >> Of course. I’ve announced what I believe our current state is; if there
> is serious pushback that has technical merit, we’ll have to revisit it. And
> as I’ve said many times, I’m open to proposals — especially those that can
> a) gain consensus b) actually get implemented and c) get approved by the
> whole IETF community. Haven’t seen any others yet.
> >
> > How do you judge the technical merit exactly?
>
> On a case by case basis. How do you expect me to answer that question?
>
> > Do you believe it's acceptable that the default naming scheme for the
> web ("http") is affected (in that either users keep getting redirected, or
> bookmarks/links will have to change)?
>
> ...*if* they want to use the latest version of HTTP, and provided that
> another mechanism isn’t added later.
>
> I do want to explore this issue; we might need to either layer on
> opportunistic encryption (which is NOT yet firmly ruled out; we’ll evaluate
> whether it’s still needed as we progress), modify our charter, or address
> it in some other way.
>
> Regards,
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>

Received on Wednesday, 13 November 2013 16:26:13 UTC