- From: Matthew Kerwin <matthew@kerwin.net.au>
- Date: Wed, 18 Dec 2013 09:50:58 +1000
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CACweHNAyeFbi_oB0BMnGLeDHx=xwtcchZ=F+2coaD0==yLqTjQ@mail.gmail.com>
Hi, this question has been rattling around in my head for a couple of days and I can't shake it, so I'll present it to the WG: is there any value in offering an authenticated+unencrypted connection mode in HTTP? It's completely aside from the everything-TLS debate (because if everything's TLS it's already authenticated, and if authentication via certs is expensive unenc-auth will be untenable for those people); but if one of the opportunistic encryption proposals is encryption without authentication, to prevent passive sniffing, would there be value in authentication without encryption? For example, I don't particularly need any of the CC-* content on my website to be encrypted (it's free for everyone to read), however I'd prefer it if a MITM couldn't modify my code snippets or misrepresent my blog rants. It's my understanding that decrypting the entire entity is pretty expensive, but calculating a checksum/hash and decrypting that is cheaper. Is my understanding wrong? Also, point in case, PGP-signed email messages to public(ly readable) fora, such as this one. Peter Saint-Andre just sent one. Sorry if it's been covered before, I haven't found anything in the archives. -- Matthew Kerwin http://matthew.kerwin.net.au/
Received on Tuesday, 17 December 2013 23:51:28 UTC