Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

Chris Palmer wrote:
> TLS is the transport layer security protocol we have. It is widely
> supported and deployed.

So is HTTP-Digest. Whether content is encrypted or not, Authentication
headers seem a better solution to me than HTTPS-secured cookies. So
maybe Authentication headers (even for unauthenticated users) have some
use after all, where security and privacy are concerned. And maybe, if
we have *that* debate, we'll come up with an alternative that's no less
widely supported and deployed (at least potentially) than HTTPS.

> Any proposed competitor for TLS — are you proposing one? — is likely
> to be roughly as complex and is likely to take roughly as long to
> develop as TLS has.

Disagree on development time. A solution informed by, and enhancing,
what we've learned from HTTP and HTTPS, wouldn't necessarily take very
long to develop. Whether it's more or less complex than TLS seems like
a non-issue if it actually solves the problem.


Received on Wednesday, 31 December 2014 01:27:02 UTC