- From: Roberto Peon <grmocg@gmail.com>
- Date: Thu, 14 Nov 2013 13:48:16 -0800
- To: James Snell <jasnell@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Amos Jeffries <squid3@treenet.co.nz>
- Message-ID: <CAP+FsNcHPW0MkDWO8oU327Yi_J+nmSczeBB5poVtn+but2br1g@mail.gmail.com>
No idea here. -=R On Nov 14, 2013 11:37 AM, "James M Snell" <jasnell@gmail.com> wrote: > Ok great, so HTTP/2 will allow plaintext. Fantastic. The next > question is: If I have a plaintext HTTP/2 server on my intranet, will > I be able to use Chrome to access that server using HTTP/2? > > On Thu, Nov 14, 2013 at 1:27 PM, Roberto Peon <grmocg@gmail.com> wrote: > > This is going sideways. > > > > You cut out the suggestion about alternate input, e.g. barcode. > > > > There are two nearly orthogonal issues here. > > 1) security/authentication > > 2) protocol > > > > It has been said over and over that http2 is specced and will be specced > to > > allow plaintext on intranets. > > > > Doing so is not a great idea for device configuration of devices where > > security matters. > > > > The security issue is separate. > > > > You need a trust chain for authentication. > > The best trust chain involves meat-space interaction with the device and > > involves no third party and has nothing at all to do with the protocol > that > > otherwise would be spoken. > > > > -=R > > > > On Nov 14, 2013 11:14 AM, "Amos Jeffries" <squid3@treenet.co.nz> wrote: > >> > >> On 2013-11-15 09:41, Roberto Peon wrote: > >>> > >>> Well, in such cases you may be screwed and should use a device that has > >>> such, else you have an insurmountable trust root problem. > >> > >> > >> > >> You do realise that a huge population in India and Africa are using > >> networks that consist solely of wireless AP, cellphone or tablet, right? > >> Electricity supply in many areas is not reliable enough to even run an > old > >> fashioned PC. > >> > >> You just cut off how many people? oh well, > >> > >> > >> Looking forward, the high-tech countries are already rolling out similar > >> sorts of networks. Japan for example is rolling out > HTTP-over-LED_lightbulb > >> and vehicle manufacturers are rolling out vehicle-vehicle wireless > >> communication (via proxies!). Now try locating the TLS certificate of > the > >> lightbulb nearest you when you get of the train ... so that you can > simply > >> connect to it. > >> > >> Whats the population of east asia? oh well, > >> > >> > >> Then there is that media whipping-post about trends in mobile devices > >> replacing other technology. > >> > >> Cut off them and you have lost a majority of the entire population. Both > >> Internet-of-Users and Internet-of-Things with no security. > >> > >> > >> So, how fast were you going to replace/upgrade every single Internet > >> connected device on the planet to support cabled connection with HTTP/2? > >> > >> > >> non-TLS forms of PKI seem to be working far better in those above > systems > >> for simultaneous performance and security than HTTPS/TLS can offer at > its > >> best. The TLS system has edges. Long overdue time to admit they are > there > >> and work towards supporting the next best thing in HTTP/2 (or is it > really > >> going to be an old thing that got sidelined because TLS CA model was > "easy" > >> ?). > >> > >> Amos > >> > >> > > >
Received on Thursday, 14 November 2013 21:48:44 UTC