- From: Kyle Rose <krose@krose.org>
- Date: Tue, 1 Dec 2015 11:33:58 -0500
- To: roland@zinks.de
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Amos Jeffries <squid3@treenet.co.nz>
>> TLS is also end-to-end >> > > That is a false statement. > > TLS is point-to-point. There is no requirement in TLS that point-B on > the conection be the origin server. Perhaps the confusion lies in the fact that end-to-end vs. point-to-point, taken literally, depends on how you're defining your endpoints? TLS is end-to-end if you consider the endpoints of the TCP connection to be the two ends. But I'd argue that this interpretation renders the two concepts meaningless. E2E vs. P2P in a security context imply things other than what the phrases literally mean. One of the distinguishing characteristics of end-to-end encryption in my experience is that the payload/data stream can be time-shifted without affecting the ability for authorized users to decrypt the data: TLS, with forward secrecy, clearly does not have this characteristic. Another characteristic is that the payload is encrypted and decrypted offline, i.e., without any online handshake between the sender and the recipient: again, TLS is explicitly designed in a way that this is not possible. End-to-end also implies the ability for (though not the necessity of) many recipients, rather than one-to-one communication: TLS also fails this test. Frankly, in myriad discussions over many years with lots of different people, this is the first time I've encountered confusion about the two concepts. It's almost hard to believe we're arguing about this. Kyle
Received on Tuesday, 1 December 2015 16:34:31 UTC