Re: I revised the pro/contra document

Tim,

On 11/23/13 11:07 PM, Tim Bray wrote:
> I’m just enumerating the arguments that have been expressed a
> critical-mass number of times on-list.  I personally think the notion
> that you don’t need to encrypt media files is completely wrong, but it
> has been repeatedly asserted.

The point is- this is other people's money you're talking about. 
Consider a large producer of such media content who derives no benefit
from the additional encryption.  Why would they deploy TLS?  There may
be those who produce similar media content who decide they WANT TLS. 
But it's their choice.

As to home printers, it's not that encryption is the problem- it's that
generating a valid cert in those environments is hard.

And as to Mike's statement:

> I doubt you would bother to install a valid certificate; you'd just
> use a self-signed cert or something, and because you've said you don't
> care about it, you'd ignore the warnings.

This is precisely the behavior you don't want to encourage, not to
mention it may not even work at all because of a lack of UI (this is one
generates a lot of broken software behavior).

A reasonable answer to all of this is for printers to stick with
HTTP/1.1.  Another reasonable approach would be to develop specific
solutions for this use case.  THAT is an area where some sort of "OE"
might in fact be appropriate.  But we don't have to do all of this at
once, and one design consideration I'd suggest we consider is that we
have appropriate hooks – if at all possible (and it may not be) – to
deal with some of this stuff later.

Eliot

Received on Monday, 25 November 2013 06:39:51 UTC