Re: A proposal

it is interesting the biggest pushers of mandatory TLS are those who 
stand to suffer the least from it.  Browser makers.

Are any server makers or (reverse-) proxy makers here proponents of 
mandatory TLS?  I can't imagine a server author taking the step of 
requiring all their customers to suddenly buy certs.  At least not be 
the first to do so.  They are the ones who will have to deal with the 
backlash and incredible inertia of getting their customers to change.

Without servers supporting mandatory TLS, it's kinda pointless for 
browser makers to assert they won't implement plaintext http/2.0.  Since 
the cert must be installed on the server (not the client/browser), I 
think it would be better to let the server authors take the lead on this 


------ Original Message ------
From: "Nicolas Mailhot" <>
To: "Mike Belshe" <>
Cc: "Roy T. Fielding" <>; "HTTP Working Group" 
Sent: 20/11/2013 8:07:15 a.m.
Subject: Re: A proposal
>Le Mar 19 novembre 2013 10:45, Mike Belshe a écrit :
>>  Alright, well thats all fine, but I really don't know why you're 
>>going off
>>  on this rant. Can you cite for me the specific quote from anyone on
>>  this
>>  list who declared or implied that TLS was a comprehensive solution 
>>  'security' or 'privacy'? I don't think anyone did, so this rant is 
>>  unnecessary.
>That's playing with words, Chrome and Mozilla representatives have been
>quite clear they wanted to force a TLS-only web for 'security' and
>'privacy'. Even though there is a ton of things those browsers could do
>*now* to improve privacy without fostering pki on everyone else.
>Really, it's getting quite annoying to see all this forceful selling of
>TLS in the name of privacy and security while systematically 
>any attempt to consider the parts of the protocol that are used to data
>mine users now (let's use the business term not emotional appeals).
>Nicolas Mailhot

Received on Tuesday, 19 November 2013 22:04:39 UTC