Re: Proposal for doing unauthenticated encryption inside of HTTP/2

On Tue, Dec 3, 2013 at 9:11 AM, Martin Thomson <>wrote:

> On 3 December 2013 07:24, Paul Hoffman <> wrote:
> > draft-hoffman-httpbis-minimal-unauth-enc
> I have a lot of questions, but here's a few to start with:
> Why headers and not frames?

- Could be headers or frames, as long as it is some place that is in the
control plane. That's for the grizzled HTTP/2 experts (as in, not me) to

> Why did you choose to submit a draft that doesn't tackle the key
> question of what is being encrypted?

Because the goal is to "encrypt more", and there is disagreement about what
"more" means. The WG seemed more wedged on how to encrypt than what to
encrypt. I trust the WG to resolve the latter if they figure out the former.

> Why did you choose to invent a new security protocol and not repurpose
> something like DTLS?

DTLS assumes a transport layer after the negotiation is done. DTLS takes
many more round trips. DTLS has the concept of authenticating the server
mostly built-in. If the WG wants DTLS, I would strongly suggest using TLS

And, this isn't inventing a new protocol: it is instantiating what is known
to be the minimum needed to get an encryption key. "Here is some key
material and a description of it; yes, that's fine, and here we go" or
"Here is some key material and a description of it; no, I'd rather use this
algorithm so here is my initial keying material; yes, that's fine, and here
we go" plus rejection messages. This is sufficient for borking passive
surveillance but not active attacks.

--Paul Hoffman

Received on Tuesday, 3 December 2013 17:33:04 UTC