Re: Port 80 deprecation

I wonder if it isn't time to write a small RFC that lists the cases 
where encryption,... isn't appropriate. (Not that I have the expertise 
or the necessary cycles, sorry.)

Regards,   Martin.

On 2021-06-07 12:38, Adrien de Croy wrote:
> 
> I'm waiting for someone to propose https for accessLocation for OCSP
> 
> Then we will have a nice little Gordian knot.
> 
> CRL checks also have to use http.
> 
> 
> ------ Original Message ------
> From: "Paul Vixie" <paul@redbarn.org>
> To: "Ilari Liusvaara" <ilariliusvaara@welho.com>
> Cc: "Toerless Eckert" <tte@cs.fau.de>; "ietf-http-wg@w3.org" 
> <ietf-http-wg@w3.org>
> Sent: 6/06/2021 6:07:30 am
> Subject: Re: Port 80 deprecation
> 
>> just be aware that i can't get a "localhost" certificate from an X.509 
>> CA, and
>> that the overhead of running an in-house CA just to accomplish this 
>> unneccessary
>> purpose so that i can encrypt and decrypt data between processes who 
>> share a CPU,
>> is unthinkable. (the plaintext will be visible inside the process 
>> endpoints, so
>> there are literally not "on-path advesaries" to protect against.)
>>
>> for web-style API's inside a system image or hypervisor, TLS will 
>> mostly not be
>> used. where it is used, global/universal domain names and IP addresses 
>> will have
>> to be used (to get the X.509 CA system to work), or a private CA will 
>> be used.
>> this would be all cost no benefit, so, infinitely bad cost:benefit 
>> ratio. "nope."
>>
>> HTTP over TCP/80 is forever. but we can say something else if 
>> politically nec'y,
>> but that outcome will not change. i've already had to avoid a GoLang 
>> SMTP module
>> which had no non-SMTPS outbound capability and so could not talk to my 
>> private
>> PostFix server. the TLS-uber-alles mantra is going to lead to some 
>> real trouble.
>>
>> -- 
>> Paul Vixie
>>

Received on Monday, 7 June 2021 04:26:15 UTC