- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Tue, 19 Nov 2013 23:33:17 +0100
- To: Peter Saint-Andre <stpeter@stpeter.im>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
* Peter Saint-Andre wrote: >Using TLS does not mean one needs to buy a PKIX certificate from a CA. >Some CAs issue free certificates, one can use self-signed >certificates, one can provision keys in DNS (DANE/TLSA), one can use >PGP keys, one can use anonymous DH cipher suites, etc. You might think >some of those options are non-starters, but it's incorrect to say that >mandatory TLS means we're forcing people to buy certificates from CAs. We should assume that none of the options you list are available unless mandatory TLS means that we're forcing people to implement them. I have no difficulty imaging a major browser vendor announcing they will, say, no longer connect to sites with free or self-signed certificates, with no option for the user to override. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Tuesday, 19 November 2013 22:33:46 UTC