Re: Getting our definitions of encryption straight for the HTTP/2 security discussion

On 11/20/2013 10:46 PM, Yoav Nir wrote:
> On 20/11/13 11:24 PM, Paul Hoffman wrote:
>> Greetings again. Over the past weeks, people are sometimes talking
>> past each other when they say they want to "always encrypt" HTTP/2
>> traffic. In specific, many people have used the term "opportunistic
>> encryption" in very different ways without knowing it.
>>
>> To help people at least understand what each other might be saying in
>> the future, I created a page with some definitions that hopefully
>> everyone can use. Comments are welcome.
>>
>> http://trac.tools.ietf.org/wg/httpbis/trac/wiki/encryption-definitons
>>
>> --Paul Hoffman
> Too bad Authenticated Encryption has another meaning, but I think this
> terminology is clear enough.
> 
> But your 'best effort' and the one for 'opportunistic' seem to be such
> that encryption always happens, but it could be authenticated or
> unauthenticated. We need a term for a process where encryption may or
> may not happen, and if it does, it may or may not be authenticated.

If we need to debate these terms before they're useful enough
for this wg, then I suggest we do that on the saag list so as
not to further confuse things here.

If however these are good enough for the httpbis wg's current
discussion, then I'd say let's just go with what Paul suggests.

And while I'd define things differently, I do think these are
good enough for here and now so I'd suggest just trying to
use 'me here (but adding more as needed) and after this wg
are done with this discussion we can take this to saag and
consider it in a broader context at more leisure.

S.


> 
> Yoav
> 
> 

Received on Wednesday, 20 November 2013 23:06:56 UTC