- From: Roberto Peon <grmocg@gmail.com>
- Date: Thu, 14 Nov 2013 13:27:12 -0800
- To: Amos Jeffries <squid3@treenet.co.nz>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAP+FsNf75rufzOH7gofUoutPmbRrB-hnwPZ-zHRrNerXrB1ckQ@mail.gmail.com>
This is going sideways. You cut out the suggestion about alternate input, e.g. barcode. There are two nearly orthogonal issues here. 1) security/authentication 2) protocol It has been said over and over that http2 is specced and will be specced to allow plaintext on intranets. Doing so is not a great idea for device configuration of devices where security matters. The security issue is separate. You need a trust chain for authentication. The best trust chain involves meat-space interaction with the device and involves no third party and has nothing at all to do with the protocol that otherwise would be spoken. -=R On Nov 14, 2013 11:14 AM, "Amos Jeffries" <squid3@treenet.co.nz> wrote: > On 2013-11-15 09:41, Roberto Peon wrote: > >> Well, in such cases you may be screwed and should use a device that has >> such, else you have an insurmountable trust root problem. >> > > > You do realise that a huge population in India and Africa are using > networks that consist solely of wireless AP, cellphone or tablet, right? > Electricity supply in many areas is not reliable enough to even run an old > fashioned PC. > > You just cut off how many people? oh well, > > > Looking forward, the high-tech countries are already rolling out similar > sorts of networks. Japan for example is rolling out HTTP-over-LED_lightbulb > and vehicle manufacturers are rolling out vehicle-vehicle wireless > communication (via proxies!). Now try locating the TLS certificate of the > lightbulb nearest you when you get of the train ... so that you can simply > connect to it. > > Whats the population of east asia? oh well, > > > Then there is that media whipping-post about trends in mobile devices > replacing other technology. > > Cut off them and you have lost a majority of the entire population. Both > Internet-of-Users and Internet-of-Things with no security. > > > So, how fast were you going to replace/upgrade every single Internet > connected device on the planet to support cabled connection with HTTP/2? > > > non-TLS forms of PKI seem to be working far better in those above systems > for simultaneous performance and security than HTTPS/TLS can offer at its > best. The TLS system has edges. Long overdue time to admit they are there > and work towards supporting the next best thing in HTTP/2 (or is it really > going to be an old thing that got sidelined because TLS CA model was "easy" > ?). > > Amos > > >
Received on Thursday, 14 November 2013 21:27:39 UTC