Mandatory encryption as part of HTTP2
Iljitsch van Beijnum <iljitsch@muada.com> Thu, 14 November 2013 20:42 UTC
Return-Path: <iljitsch@muada.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF2121E814F; Thu, 14 Nov 2013 12:42:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcpvTsSSE-In; Thu, 14 Nov 2013 12:42:45 -0800 (PST)
Received: from sequoia.muada.com (sequoia.muada.com [IPv6:2001:1af8:3100:a006:1::]) by ietfa.amsl.com (Postfix) with ESMTP id 120AE21E814C; Thu, 14 Nov 2013 12:42:44 -0800 (PST)
Received: from [192.168.178.24] (5ED21809.cm-7-3a.dynamic.ziggo.nl [94.210.24.9]) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id rAEKfBLL059818 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 14 Nov 2013 21:41:12 +0100 (CET) (envelope-from iljitsch@muada.com)
From: Iljitsch van Beijnum <iljitsch@muada.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Mandatory encryption as part of HTTP2
Date: Thu, 14 Nov 2013 21:42:41 +0100
Message-Id: <946B0ADE-F03B-4249-9D74-904C4BF13632@muada.com>
To: ietf@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\))
X-Mailer: Apple Mail (2.1822)
Cc: iab@iab.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2013 20:42:46 -0000
Forgive me if this has been discussed before, but I haven't been active on this list for a while and I didn't see subject lines that indicated recent discussions on this. Apparently the chair of the httpbis wg is proposing to make encryption a mandatory part HTTP version 2: http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/0625.html I have many medium-sized problems with this, including the issues with CAs, the additional fragility of depending on certs with limited lifetimes, performance and energy efficiency issues (both the batteries in mobile hosts and the power use in datacenters), severely reduced cacheability and debugging which are reasonable tradeoffs when privacy and authentication are needed, but are wasteful when they're not, which is still very often the case. But a more fundamental problem with this approach is that it ties HTTP2 to TLS, while TLS is not a very good technology, except that it has proven easy to deploy. When we finally figure out how to get IPsec deployed as a general purpose solution for privacy and authentication, it would be quite annoying to have to run TLS, too, because HTTP2 requires it. I'm not entirely sure why the existing problematic solution with certs and CAs was proposed here, as the intended goal, keep the NSA and friends out of our business, would be hard to reach that way. Using some kind of opportunistic encryption would serve that purpose much better, IMO. (However, I do think there is value in making it possible to enable encryption when needed/desired without requiring the use of the https URL scheme.) Deliberating exactly these kinds of issues is why the IAB gets paid the big bucks. So I hope the IAB can take on this issue. Iljitsch
- Mandatory encryption as part of HTTP2 Iljitsch van Beijnum
- Re: Mandatory encryption as part of HTTP2 Peter Saint-Andre
- RE: Mandatory encryption as part of HTTP2 l.wood
- Re: Mandatory encryption as part of HTTP2 Roberto Peon
- RE: Mandatory encryption as part of HTTP2 l.wood
- Re: [IAB] Mandatory encryption as part of HTTP2 Hannes Tschofenig
- Re: [IAB] Mandatory encryption as part of HTTP2 Iljitsch van Beijnum
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- RE: [IAB] Mandatory encryption as part of HTTP2 Yaakov Stein
- Re: [IAB] Mandatory encryption as part of HTTP2 Hannes Tschofenig
- Re: [IAB] Mandatory encryption as part of HTTP2 Hannes Tschofenig
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- Re: [IAB] Mandatory encryption as part of HTTP2 Hannes Tschofenig
- Re: [IAB] Mandatory encryption as part of HTTP2 Steve Crocker
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- Re: Mandatory encryption as part of HTTP2 Ted Faber
- Re: [IAB] Mandatory encryption as part of HTTP2 Roberto Peon
- Re: [IAB] Mandatory encryption as part of HTTP2 Dave Crocker
- Re: [IAB] Mandatory encryption as part of HTTP2 Martin Thomson
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- Re: [IAB] Mandatory encryption as part of HTTP2 Theodore Ts'o
- Re: [IAB] Mandatory encryption as part of HTTP2 Stephen Farrell
- Re: [IAB] Mandatory encryption as part of HTTP2 Randy Bush
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- Number of CAs (was: Mandatory encryption as part … SM
- Re: Number of CAs (was: Mandatory encryption as p… Phillip Hallam-Baker
- Re: Number of CAs (was: Mandatory encryption as p… Theodore Ts'o
- Re: Number of CAs (was: Mandatory encryption as p… Phillip Hallam-Baker
- Re: Number of CAs Masataka Ohta
- Re: Number of CAs (was: Mandatory encryption as p… Yoav Nir
- Re: Number of CAs (was: Mandatory encryption as p… Randy Bush
- Re: Number of CAs (was: Mandatory encryption as p… SM
- Re: Number of CAs (was: Mandatory encryption as p… Yoav Nir
- Re: Number of CAs (was: Mandatory encryption as p… mutek
- Re: Number of CAs Phillip Hallam-Baker
- Re: Number of CAs (was: Mandatory encryption as p… Phillip Hallam-Baker
- Re: Number of CAs (was: Mandatory encryption as p… Phillip Hallam-Baker
- Re: Number of CAs (was: Mandatory encryption as p… Phillip Hallam-Baker
- Re: Number of CAs (was: Mandatory encryption as p… Paul Hoffman
- Re: [IAB] Mandatory encryption as part of HTTP2 Masataka Ohta
- Re: [IAB] Mandatory encryption as part of HTTP2 Hannes Tschofenig
- Re: Number of CAs Masataka Ohta
- Re: [IAB] Mandatory encryption as part of HTTP2 Masataka Ohta
- Re: [IAB] Mandatory encryption as part of HTTP2 Hannes Tschofenig
- Re: [IAB] Mandatory encryption as part of HTTP2 Masataka Ohta
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- Re: Number of CAs Phillip Hallam-Baker
- Re: [IAB] Mandatory encryption as part of HTTP2 Theodore Ts'o
- Re: Number of CAs Masataka Ohta
- Re: Number of CAs Phillip Hallam-Baker
- Re: Mandatory encryption as part of HTTP2 Conrad Rockenhaus
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- Re: Number of CAs Masataka Ohta
- Re: [IAB] Mandatory encryption as part of HTTP2 Yoav Nir
- Re: [IAB] Mandatory encryption as part of HTTP2 Masataka Ohta
- Re: [IAB] Mandatory encryption as part of HTTP2 SM
- Re: Number of CAs Vinayak Hegde
- Re: [IAB] Mandatory encryption as part of HTTP2 Masataka Ohta
- Re: Number of CAs Randy Bush
- Re: Number of CAs Masataka Ohta
- Re: Number of CAs (was: Mandatory encryption as p… Tony Finch
- Re: Number of CAs Yoav Nir
- Re: Number of CAs (was: Mandatory encryption as p… Phillip Hallam-Baker
- Re: Number of CAs Phillip Hallam-Baker
- Re: [IAB] Mandatory encryption as part of HTTP2 Phillip Hallam-Baker
- Re: Number of CAs (was: Mandatory encryption as p… Tony Finch
- Re: Number of CAs (was: Mandatory encryption as p… Ted Lemon
- Re: Number of CAs (was: Mandatory encryption as p… Phillip Hallam-Baker
- Re: Number of CAs (was: Mandatory encryption as p… Phillip Hallam-Baker