Re: Moving forward on improving HTTP's security

Would it be unreasonable to request that we also not debate PR here, unless
it's directly pertinent to the internet drafts we are standardizing? I
don't really want to change how we do things just because of news headlines
on tech sites. I'd rather discuss the technical merits of encouraging
further use of secure communication channels in the various situations
described in Mark's original email.


On Wed, Nov 13, 2013 at 10:53 AM, Tao Effect <contact@taoeffect.com> wrote:

> OK, I agree with this sentiment.
>
> What worries me is the emphasis that I see being placed on HTTP 2.0 being
> "secure".
>
> Perhaps it is somewhat of a marketing problem, but nevertheless, it's a
> marketing problem with potentially serious security consequences.
>
> If HTTP/2.0 is flexible enough to allow for very different types of
> authentication practices than the ones currently done with the PKI/CA
> system, then I would support it.
>
> Just make it *_clear_* then that HTTP/2.0 *is not about improving
> security.*
>
> If this is not made crystal clear, then people will continue to see news
> headlines on tech sites that give people the impression that something is
> actually being done to improve the internet's security with this "move to
> HTTP 2.0!", which is horse sh*t.
>
> - Greg
>
> --
> Please do not email me anything that you are not comfortable also sharing
> with the NSA.
>
> On Nov 13, 2013, at 1:47 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
> On 13 November 2013 10:42, William Chan (陈智昌) <willchan@chromium.org>
> wrote:
>
> If there are issues with TLS or the PKI or whatever we're relying on for
> the
> secure channel, let's fix it.
>
>
> Yes.  We outsource the bulk of HTTP security work to the SEC area
> working groups, primarily TLS.  They are acutely aware of the issues
> and are working on improving the situation.  Let's concentrate on what
> we can do.
>
>
>

Received on Wednesday, 13 November 2013 19:07:08 UTC