W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Proposal for doing unauthenticated encryption inside of HTTP/2

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Tue, 3 Dec 2013 09:32:37 -0800
Message-ID: <CAPik8yaMWxCoYCzcSW8Fq3oC1+=2WdpdpXdPTOwmVWd70iYuzQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Tue, Dec 3, 2013 at 9:11 AM, Martin Thomson <martin.thomson@gmail.com>wrote:

> On 3 December 2013 07:24, Paul Hoffman <paul.hoffman@gmail.com> wrote:
> > draft-hoffman-httpbis-minimal-unauth-enc
> I have a lot of questions, but here's a few to start with:
> Why headers and not frames?

- Could be headers or frames, as long as it is some place that is in the
control plane. That's for the grizzled HTTP/2 experts (as in, not me) to

> Why did you choose to submit a draft that doesn't tackle the key
> question of what is being encrypted?

Because the goal is to "encrypt more", and there is disagreement about what
"more" means. The WG seemed more wedged on how to encrypt than what to
encrypt. I trust the WG to resolve the latter if they figure out the former.

> Why did you choose to invent a new security protocol and not repurpose
> something like DTLS?

DTLS assumes a transport layer after the negotiation is done. DTLS takes
many more round trips. DTLS has the concept of authenticating the server
mostly built-in. If the WG wants DTLS, I would strongly suggest using TLS

And, this isn't inventing a new protocol: it is instantiating what is known
to be the minimum needed to get an encryption key. "Here is some key
material and a description of it; yes, that's fine, and here we go" or
"Here is some key material and a description of it; no, I'd rather use this
algorithm so here is my initial keying material; yes, that's fine, and here
we go" plus rejection messages. This is sufficient for borking passive
surveillance but not active attacks.

--Paul Hoffman
Received on Tuesday, 3 December 2013 17:33:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:20 UTC