Re: Moving forward on improving HTTP's security

This is going sideways.

You cut out the suggestion about alternate input, e.g. barcode.

There are two nearly orthogonal issues here.
1) security/authentication
2) protocol

It has been said over and over that http2 is specced and will be specced to
allow plaintext on intranets.

Doing so is not a great idea for device configuration of devices where
security matters.

The security issue is separate.

You need a trust chain for authentication.
The best trust chain involves meat-space interaction with the device and
involves no third party and has nothing at all to do with the protocol that
otherwise would be spoken.

On Nov 14, 2013 11:14 AM, "Amos Jeffries" <> wrote:

> On 2013-11-15 09:41, Roberto Peon wrote:
>> Well, in such cases you may be screwed and should use a device that has
>> such, else you have an insurmountable trust root problem.
> You do realise that a huge population in India and Africa are using
> networks that consist solely of wireless AP, cellphone or tablet, right?
> Electricity supply in many areas is not reliable enough to even run an old
> fashioned PC.
> You just cut off how many people? oh well,
> Looking forward, the high-tech countries are already rolling out similar
> sorts of networks. Japan for example is rolling out HTTP-over-LED_lightbulb
> and vehicle manufacturers are rolling out vehicle-vehicle wireless
> communication (via proxies!). Now try locating the TLS certificate of the
> lightbulb nearest you when you get of the train ... so that you can simply
> connect to it.
> Whats the population of east asia? oh well,
> Then there is that media whipping-post about trends in mobile devices
> replacing other technology.
> Cut off them and you have lost a majority of the entire population. Both
> Internet-of-Users and Internet-of-Things with no security.
> So, how fast were you going to replace/upgrade every single Internet
> connected device on the planet to support cabled connection with HTTP/2?
> non-TLS forms of PKI seem to be working far better in those above systems
> for simultaneous performance and security than HTTPS/TLS can offer at its
> best. The TLS system has edges. Long overdue time to admit they are there
> and work towards supporting the next best thing in HTTP/2 (or is it really
> going to be an old thing that got sidelined because TLS CA model was "easy"
> ?).
> Amos

Received on Thursday, 14 November 2013 21:27:39 UTC