W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 20 May 2014 09:31:03 +0100
Message-ID: <537B12C7.2040400@cs.tcd.ie>
To: Martin Thomson <martin.thomson@gmail.com>, Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>

Hiya,

On 20/05/14 04:59, Martin Thomson wrote:
> On 19 May 2014 20:42, Mark Nottingham <mnot@mnot.net> wrote:
>> FYI - Martin went away and did some substantial revision of this draft, and is now an author.

Good stuff.

> The changes incorporate a draft you might have seen, but I didn't
> announce.  The main innovation here is a way to make the whole thing
> sticky in an effort to reduce the opportunity for downgrade attack.
> Pretty standard stuff, but included as a bit of a thought experiment
> as well as a bit of a test to see what people think.

Would you be ok with s/opportunistic encryption/opportunistic
security/? The latter is the term that the saag discussion has
ended up landing on, (post bikeshed:-) so it'd be good if
that worked here too.

I wonder if the MUST and MUST NOT terms in 5.1 are ok. But
if they're there to find that out then that's fine:-)

And BTW - just in case folks here haven't seen it, some FB
folks have published stats [1] on what they've seen with
MTA-MTA STARTTLS and the interesting number for this is
that they are seeing 58% of outbound emails being encrypted
that way, with about half of those being what they call
"strict" and half being what they call opportunistic.
That seems to imply that we could perhaps double the
amount of HTTP traffic using TLS with the mechanism from
this draft, (compared to "https") and in short order. (I
don't know of historic figures for the FB stuff, but
previous guesstimates I've seen were of the order of 20%
or so and not 58%. I'd be very interested in similar
numbers/trends folks are willing to talk about for HTTP
as well.)

That seems like real evidence for a huge potential win
to me, even if the situations aren't quite the same. Fears
that opportunistic security for HTTP might be somehow
dodgy seem to me to pale into insignificance in the face
of such actual evidence.

S.

[1] https://www.facebook.com/notes/1453015901605223/
Received on Tuesday, 20 May 2014 08:31:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC