Re: SSL/TLS everywhere fail from Cory Benfield on 2015-12-07 (ietf-http-wg@w3.org from October to December 2015)

From: Cory Benfield <cory@lukasa.co.uk>
Date: Mon, 7 Dec 2015 13:11:24 +0000
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Jacob Appelbaum <jacob@appelbaum.net>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
Message-Id: <DFD72331-782F-49ED-A1E3-AE54F80F6802@lukasa.co.uk>

> On 7 Dec 2015, at 13:08, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> 
> --------
> In message <390ACFC5-7664-45A4-9849-9EBFCA8F1568@lukasa.co.uk>, Cory Benfield writes:
> 
>>> You know, I'd actually prefer the draft isn't bloated with
>>> boilerplate text like that.  It should concentrate on the
>>> task at hand and simply caution:
>>> 
>>> "We remind the reader that Key-distribution is the only really
>>> hard cryptographic problem, do not take it lightly."
>> 
>> Here I disagree, I simply don't think that goes far enough.
>> Ambiguity in RFCs is bad.
> 
> That is not ambiguity, is pointing out that there are other
> problem-domains, outside the subject of the present document, which
> should be looked carefully at.
> 
> We also don't write treatises about transmission error detection
> into every document which uses TCP.

Correct, we don’t, we refer those to the draft that talks about it. Which is what I want to do here.

Quoting myself:

> Let’s take draft-thomson-signing and draft-thomson-encryption, and have them both normatively reference a draft that talks about key distribution. We don’t have to detail it in those drafts, but in my view we absolutely have to talk about it somewhere.

and

>  I don’t need it to be the product of HTTPbis, but I think it’s just unacceptable for us to say “use your best judgement”.

Cory

Received on Monday, 7 December 2015 13:11:56 UTC