Re: HTTP/2 and Pervasive Monitoring

In message <>
, Erik Nygren writes:

>[...]  provision a real certificate, [...]

I have it from many corners, than anything which involves "real
certificates" are not going to happen for a large swath of "unimportant"
traffic because of the extortionary business behavior of the CA-mob.

I personally have no love for the CA-mob, but a lot of people seem to
hate their guts.  Keeping them out of the picture wrt. fighting PM
would be a good idea.

Also, we don't need very big certs, they just have to hold for a
few seconds.

>> For that matter this is not even specific to HTTP/2 in any way, it
>> could also be deployed for HTTP/1.1.
>Only if there was a way to convey Scheme (http vs https) in a way that
>worked reliably for existing HTTP/1.1 servers.

I was talking only conceptually here, the actual protocol mechanics
will be at least as tricky as HTTP/1 -> HTTP/2 upgrade.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Friday, 15 August 2014 14:51:02 UTC