- From: Manger, James H <James.H.Manger@team.telstra.com>
- Date: Thu, 21 Nov 2013 10:54:26 +1100
- To: Paul Hoffman <paul.hoffman@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> Greetings again. Over the past weeks, people are sometimes talking past each other when they say they want to "always encrypt" HTTP/2 traffic. In specific, many people have used the term "opportunistic encryption" in very different ways without knowing it. > > To help people at least understand what each other might be saying in the future, I created a page with some definitions that hopefully everyone can use. Comments are welcome. > > http://trac.tools.ietf.org/wg/httpbis/trac/wiki/encryption-definitons > --Paul Hoffman “Authenticated Encryption” is a poor choice of term for server-authenticated TLS. “Authenticated Encryption” is already a well-defined term of art in the crypto community with a different meaning. There is even an Authenticated Encryption RFC [RFC 5116]. Perhaps better terms would be: * Server-authenticated encryption — client authenticates server’s identity * Better-than-nothing encryption — no server authentication * Best-effort encryption — client tries server-authenticated encryption, but falls back to better-than-nothing encryption if necessary * Opportunistic encryption — client tries best-effort encryption, but falls back to no encryption if necessary P.S. Better-than-nothing security (BTNS) is an unauthenticated mode of IPsec defined in RFC 5386. -- James Manger
Received on Wednesday, 20 November 2013 23:55:08 UTC