Re: something I don't get about the current plan... from Patrick McManus on 2013-11-18 (ietf-http-wg@w3.org from October to December 2013)

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Mon, 18 Nov 2013 09:06:36 -0500
To: Mark Nottingham <mnot@mnot.net>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNq+7A6ONG9vTqY7w0gVMXOgNxeYF+OUdBp9cyOWP8pDHA@mail.gmail.com>

On Sun, Nov 17, 2013 at 11:04 PM, Mark Nottingham <mnot@mnot.net> wrote:

>
>
> The underlying assumption seems to be that the performance (and other?)
> benefits of HTTP/2 will lure sites into deploying TLS. Other things could
> also help, of course -- e.g. better administrator experience in deploying
> certs on the server, but that's out of scope for us.
>
> In short, HTTP/2 is being positioned as a gigantic carrot. Because the
> incentives are lined up (the person who needs to install the cert is
> getting the benefit of HTTP/2), the theory is that it's not like the other
> cases.
>
> However, it's still making an assumption that enough people will want
> those benefits to go through the pain of deploying TLS.
>
> Opportunistic encryption is also a means of addressing this issue;
> however, there seems to be a lot of doubt about how its introduction would
> affect the Web, whereas the current approach ("HTTPS Everywhere", to steal
> a phrase from the EFF) has more well-understood properties.
>
> In the current plan, opp encryption may still have a place, if adoption of
> HTTP/2-over-TLS-over-HTTPS turns out to be very low.
>
>
Mark, I think this is a really great summary. Thank you. I will say that
low-adoption isn't necessarily the only possible trigger for me. For my
part, I want to see tls-no-auth vetted by the security folks that I trust
too - and if they are on board then its a lot more attractive to do
proactively. I value their opinions, but it takes some time.



> So, I'd like to hear from those who don't like the current plan; would opp
> encryption (in a nutshell, HTTP/2 for http:// URIs over TLS without
> server authentication) help or hurt?
>
>
both! :)



> Also, I'm wondering what people (both sides) would think if we allowed
> http/2 for http:// URLs (with or without opp encryption) for .local and
> RFC1918 addresses, to ease the IoT / printer cases.
>
>
as above, encryption with no-auth is still a possibility in my mind,
especially for things that don't bootstrap into the PKI well. But no
plaintext at all for me - addresses are meaningless, as is the notion of a
private lan.
http://apps.washingtonpost.com/g/page/world/how-the-nsas-muscular-program-collects-too-much-data-from-yahoo-and-google/543/

Received on Monday, 18 November 2013 14:07:07 UTC