Re: Getting our definitions of encryption straight for the HTTP/2 security discussion

Thanks Paul - that's helpful. I've moved it over to <https://github.com/http2/http2-spec/wiki/Encryption-Terminology> (since all of the other HTTP/2 material is there) and linked from the most relevant issue, <https://github.com/http2/http2-spec/issues/315>.

Would you agree that the distinction between better-than-nothing encryption and best-effort encryption is only important if someone chooses to do something with the information that server auth is or is not in place?

Keeping in mind that the "someone" is either going to be the UA (e.g., by changing its security indications to the user), or the origin server (and I *think* the only meaningful thing here would be to allow them to opt out of unauthenticated connections).

Mind you, I think it's OK if we specify best-effort and people use it just to get better-than-nothing encryption, provided it doesn't increase complexity too much; just making sure I understand the difference.

Cheers,


On 21/11/2013, at 8:24 AM, Paul Hoffman <paul.hoffman@gmail.com> wrote:

> Greetings again. Over the past weeks, people are sometimes talking past each other when they say they want to "always encrypt" HTTP/2 traffic. In specific, many people have used the term "opportunistic encryption" in very different ways without knowing it.
> 
> To help people at least understand what each other might be saying in the future, I created a page with some definitions that hopefully everyone can use. Comments are welcome.
> 
> http://trac.tools.ietf.org/wg/httpbis/trac/wiki/encryption-definitons
> 
> --Paul Hoffman

--
Mark Nottingham   http://www.mnot.net/

Received on Thursday, 21 November 2013 00:54:33 UTC