W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2015

Re: Report on preliminary decision on TLS 1.3 and client auth

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 25 Sep 2015 10:32:49 -0700
Message-ID: <CABkgnnW9FDLudxkEjbG+qgxHBe2TGJscNVoVFFXc=b8Q5xzY8A@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Yoav Nir <ynir.ietf@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On 25 September 2015 at 10:20, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> I think in the current climate, we have a lot of lattitude for
> doing things right, and telling people why they should migrate
> to something safer, so we should seriously consider skipping
> the workarounds and aim for something that will hold up well
> under pressure.


I want to do that to, but if that generates too much incentive to
remain on old protocols, I don't think that is the only thing we can
do.

Note that there are a lot of alternatives out there already.  For
instance, the widely deployed OAuth-based systems.  There are some
small differences in their security properties, which might be
critical.

However, I confess that I don't know whether that is a consideration
as much as pure inertia.  Maybe application developers that use client
certificates really like the fact that they have terrible privacy
characteristics.

Either way, I don't believe that we get to play the dictator here.
People will do what they feel that they need to.  If we don't help,
they will implement options that are even worse than those that I
described.
Received on Friday, 25 September 2015 17:33:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:46 UTC