Re: Proposal for doing unauthenticated encryption inside of HTTP/2

On Tue, Dec 3, 2013 at 9:11 AM, Martin Thomson <martin.thomson@gmail.com>wrote:

> On 3 December 2013 07:24, Paul Hoffman <paul.hoffman@gmail.com> wrote:
> > draft-hoffman-httpbis-minimal-unauth-enc
>
> I have a lot of questions, but here's a few to start with:
>
> Why headers and not frames?
>

- Could be headers or frames, as long as it is some place that is in the
control plane. That's for the grizzled HTTP/2 experts (as in, not me) to
pick.


>
> Why did you choose to submit a draft that doesn't tackle the key
> question of what is being encrypted?
>

Because the goal is to "encrypt more", and there is disagreement about what
"more" means. The WG seemed more wedged on how to encrypt than what to
encrypt. I trust the WG to resolve the latter if they figure out the former.


> Why did you choose to invent a new security protocol and not repurpose
> something like DTLS?
>

DTLS assumes a transport layer after the negotiation is done. DTLS takes
many more round trips. DTLS has the concept of authenticating the server
mostly built-in. If the WG wants DTLS, I would strongly suggest using TLS
instead.

And, this isn't inventing a new protocol: it is instantiating what is known
to be the minimum needed to get an encryption key. "Here is some key
material and a description of it; yes, that's fine, and here we go" or
"Here is some key material and a description of it; no, I'd rather use this
algorithm so here is my initial keying material; yes, that's fine, and here
we go" plus rejection messages. This is sufficient for borking passive
surveillance but not active attacks.

--Paul Hoffman

Received on Tuesday, 3 December 2013 17:33:04 UTC