Re: A proposal from Mike Belshe on 2013-11-17 (ietf-http-wg@w3.org from October to December 2013)

From: Mike Belshe <mike@belshe.com>
Date: Sun, 17 Nov 2013 15:40:05 -0800
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABaLYCv3uqidiVMffm_0VP2XGEwO86+09WmXpPdCd6R=iFqwxw@mail.gmail.com>

On Sun, Nov 17, 2013 at 3:27 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> On Nov 17, 2013, at 1:09 PM, Poul-Henning Kamp wrote:
>
> > In message <CACuKZqHKjpvgu=
> TOGsG6FVKtVnJnom1pn8FnuWit9XraW-JM-w@mail.gmail.com>
> > , Zhong Yu writes:
> >
> >> If a URL is http://something, it better means that the document can be
> >> retrieved by HTTP/1 on clear TCP. If that assumption is broken, a lot
> >> of software will be broken.
> >
> > No, it means "fetch this with HTTP", it doesn't say "HTTP/1" anywhere
> > and if the user-agent determines that it can be fetched better with
> > HTTP/2 on port 100, then that's just fine.
>
> The URI scheme defines a name resolution mapping.  "http", in particular,
> defines a mapping to a hypothetical HTTP server listening to the default
> (or given) TCP port.  That server is authoritative for the remaining URI
> bits.
>
> The scheme does not mean "fetch"; GET does, which is a method constructed
> based on context found outside the URI.
>
> The scheme does not mean "use HTTP"; the tools a user chooses to make
> use of the Internet determine what protocols to use, corresponding to
> which schemes, and may or may not intend to do so through network access
> to an authoritative server.  "http" URIs can and do "work" when a user
> agent has no network access.
>
> Security is a systemic issue, not a protocol issue.  There is nothing
> secure about TLS or encryption.  There are merely some use cases in
> which the data crossing the wire can be made confidential to a given
> set of key holders, preferably controlled by the entity to which the
> user intends to communicate in confidence.  That level of confidentiality
> is sufficient for many commerce use cases.  It does not provide privacy.
>
> Anyone who thinks adding TLS to plain HTTP will improve security,
> let alone privacy, needs to learn how TLS gets its security.
> Encryption is not magic pixie dust.
>

So your official statement is that TLS does not improve the security or
privacy of HTTP?

Mike







>
> For HTTP, the scheme identifies an authority. A user trusts their
> user agent to retrieve somewhat authoritative responses. If a user
> agent can obtain reasonably authoritative responses via other
> means, then it can use those other means instead of the default
> means defined by the scheme, regardless of the scheme.
>
> ....Roy
>

Received on Sunday, 17 November 2013 23:40:33 UTC