Re: SSL/TLS everywhere fail from Cory Benfield on 2015-12-07 (ietf-http-wg@w3.org from October to December 2015)

From: Cory Benfield <cory@lukasa.co.uk>
Date: Mon, 7 Dec 2015 13:24:03 +0000
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Jacob Appelbaum <jacob@appelbaum.net>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <D1A052E2-A616-483A-A457-E4F34204B8C1@lukasa.co.uk>

> On 7 Dec 2015, at 13:19, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 8 December 2015 at 00:11, Cory Benfield <cory@lukasa.co.uk> wrote:
>>> Let’s take draft-thomson-signing and draft-thomson-encryption, and have them both normatively reference a draft that talks about key distribution. We don’t have to detail it in those drafts, but in my view we absolutely have to talk about it somewhere.
> 
> I apologize for missing this, I think that it's an important question
> to address... (In my defence, the amount of digital ink spilled here
> is beyond my current ability to track.)
> 
> I don't think that this is a sensible strategy.  There are a few uses
> already for both drafts, both of which have very different key
> management strategies.  Attempting to button this down in the way you
> suggest would necessarily bless or condemn a whole range of
> possibilities.

That’s a fair objection, Martin. Can I ask then, what some of these uses are, and whether they have commonalities? I’m still extremely concerned about having no guidance whatsoever on what to do here.

Received on Monday, 7 December 2015 13:24:42 UTC