- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 25 Sep 2015 10:32:49 -0700
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Yoav Nir <ynir.ietf@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On 25 September 2015 at 10:20, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > I think in the current climate, we have a lot of lattitude for > doing things right, and telling people why they should migrate > to something safer, so we should seriously consider skipping > the workarounds and aim for something that will hold up well > under pressure. I want to do that to, but if that generates too much incentive to remain on old protocols, I don't think that is the only thing we can do. Note that there are a lot of alternatives out there already. For instance, the widely deployed OAuth-based systems. There are some small differences in their security properties, which might be critical. However, I confess that I don't know whether that is a consideration as much as pure inertia. Maybe application developers that use client certificates really like the fact that they have terrible privacy characteristics. Either way, I don't believe that we get to play the dictator here. People will do what they feel that they need to. If we don't help, they will implement options that are even worse than those that I described.
Received on Friday, 25 September 2015 17:33:17 UTC