Re: Moving forward on improving HTTP's security

On Nov 13, 2013, at 11:25 AM, Peter Lepeska <bizzbyster@gmail.com> wrote:
> 
> Without it we're essentially requiring proxies to do MITM to function. Is this increasing security?

The only thing worse than no security, is a false sense of security.

:-p

- Greg

P.S. Please disregard the duplicate email accidentally sent from my other account.

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Nov 13, 2013, at 11:25 AM, Peter Lepeska <bizzbyster@gmail.com> wrote:

> I'd like to see the group hold off on making this decision until we've also come up with an agreed upon way for proxies to function in an HTTP2, all TLS Internet. Without it we're essentially requiring proxies to do MITM to function. Is this increasing security?
> 
> Peter
> 
> 
> On Wed, Nov 13, 2013 at 10:59 AM, Mark Nottingham <mnot@mnot.net> wrote:
> Hi Julian,
> 
> On 13 Nov 2013, at 9:33 pm, Julian Reschke <julian.reschke@gmx.de> wrote:
> 
> >> As a result, I’m making an informed judgement call, based upon discussions so far and the options available to us. I do not do so lightly, and have been in active consultation with many of those it will affect, as well as IETF leadership. If that call is wrong, I’m confident that the WG will correct it, but again, that is *not* voting.
> >
> > Well, your mail makes it sound as if a decision already has been made, and that you're willing to revisit it if the WG pushes back. That's different from making a *proposal*, discuss it over here (and maybe *then* make a decision).
> 
> I would put it differently. I see only one viable path forward at this point in time, based upon the myriad constraints we face. If another becomes available, of course we will consider it.
> 
> >> Of course. I’ve announced what I believe our current state is; if there is serious pushback that has technical merit, we’ll have to revisit it. And as I’ve said many times, I’m open to proposals — especially those that can a) gain consensus b) actually get implemented and c) get approved by the whole IETF community. Haven’t seen any others yet.
> >
> > How do you judge the technical merit exactly?
> 
> On a case by case basis. How do you expect me to answer that question?
> 
> > Do you believe it's acceptable that the default naming scheme for the web ("http") is affected (in that either users keep getting redirected, or bookmarks/links will have to change)?
> 
> ...*if* they want to use the latest version of HTTP, and provided that another mechanism isn’t added later.
> 
> I do want to explore this issue; we might need to either layer on opportunistic encryption (which is NOT yet firmly ruled out; we’ll evaluate whether it’s still needed as we progress), modify our charter, or address it in some other way.
> 
> Regards,
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 
> 


--
Please do not email me anything that you are not comfortable also sharing with the NSA.

Received on Wednesday, 13 November 2013 17:16:20 UTC