- From: Eric J. Bowman <eric@bisonsystems.net>
- Date: Tue, 30 Dec 2014 18:26:46 -0700
- To: Chris Palmer <palmer@google.com>
- Cc: Marc Fawzi <marc.fawzi@gmail.com>, "henry.story@bblfish.net" <henry.story@bblfish.net>, Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Chris Palmer wrote: > > TLS is the transport layer security protocol we have. It is widely > supported and deployed. > So is HTTP-Digest. Whether content is encrypted or not, Authentication headers seem a better solution to me than HTTPS-secured cookies. So maybe Authentication headers (even for unauthenticated users) have some use after all, where security and privacy are concerned. And maybe, if we have *that* debate, we'll come up with an alternative that's no less widely supported and deployed (at least potentially) than HTTPS. > > Any proposed competitor for TLS — are you proposing one? — is likely > to be roughly as complex and is likely to take roughly as long to > develop as TLS has. > Disagree on development time. A solution informed by, and enhancing, what we've learned from HTTP and HTTPS, wouldn't necessarily take very long to develop. Whether it's more or less complex than TLS seems like a non-issue if it actually solves the problem. -Eric
Received on Wednesday, 31 December 2014 01:27:00 UTC