Re: Moving forward on improving HTTP's security from Peter Lepeska on 2013-11-13 (ietf-http-wg@w3.org from October to December 2013)

From: Peter Lepeska <bizzbyster@gmail.com>
Date: Wed, 13 Nov 2013 11:27:59 -0500
To: Mark Nottingham <mnot@mnot.net>
Cc: "Julian F. Reschke" <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CANmPAYHP4t=sH8uxgOS-bdBanQXT-k96iDx0o_UE61U2_kR03A@mail.gmail.com>

That's great. Let me know if I can help.

Peter


On Wed, Nov 13, 2013 at 11:27 AM, Mark Nottingham <mnot@mnot.net> wrote:

> Hi Peter,
>
> We have a group of people working on use cases and proposals for that very
> topic now.
>
> Regards,
>
>
> On 14 Nov 2013, at 12:25 am, Peter Lepeska <bizzbyster@gmail.com> wrote:
>
> > I'd like to see the group hold off on making this decision until we've
> also come up with an agreed upon way for proxies to function in an HTTP2,
> all TLS Internet. Without it we're essentially requiring proxies to do MITM
> to function. Is this increasing security?
> >
> > Peter
> >
> >
> > On Wed, Nov 13, 2013 at 10:59 AM, Mark Nottingham <mnot@mnot.net> wrote:
> > Hi Julian,
> >
> > On 13 Nov 2013, at 9:33 pm, Julian Reschke <julian.reschke@gmx.de>
> wrote:
> >
> > >> As a result, I’m making an informed judgement call, based upon
> discussions so far and the options available to us. I do not do so lightly,
> and have been in active consultation with many of those it will affect, as
> well as IETF leadership. If that call is wrong, I’m confident that the WG
> will correct it, but again, that is *not* voting.
> > >
> > > Well, your mail makes it sound as if a decision already has been made,
> and that you're willing to revisit it if the WG pushes back. That's
> different from making a *proposal*, discuss it over here (and maybe *then*
> make a decision).
> >
> > I would put it differently. I see only one viable path forward at this
> point in time, based upon the myriad constraints we face. If another
> becomes available, of course we will consider it.
> >
> > >> Of course. I’ve announced what I believe our current state is; if
> there is serious pushback that has technical merit, we’ll have to revisit
> it. And as I’ve said many times, I’m open to proposals — especially those
> that can a) gain consensus b) actually get implemented and c) get approved
> by the whole IETF community. Haven’t seen any others yet.
> > >
> > > How do you judge the technical merit exactly?
> >
> > On a case by case basis. How do you expect me to answer that question?
> >
> > > Do you believe it's acceptable that the default naming scheme for the
> web ("http") is affected (in that either users keep getting redirected, or
> bookmarks/links will have to change)?
> >
> > ...*if* they want to use the latest version of HTTP, and provided that
> another mechanism isn’t added later.
> >
> > I do want to explore this issue; we might need to either layer on
> opportunistic encryption (which is NOT yet firmly ruled out; we’ll evaluate
> whether it’s still needed as we progress), modify our charter, or address
> it in some other way.
> >
> > Regards,
> >
> > --
> > Mark Nottingham   http://www.mnot.net/
> >
> >
> >
> >
> >
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>

Received on Wednesday, 13 November 2013 16:28:26 UTC