Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP

Nico Williams <nico@cryptonector.com> Mon, 03 December 2012 04:56 UTC

MIME-Version: 1.0
In-Reply-To: <C466889C-5A54-44D3-B8F5-3CAC4A1BA2E0@gmail.com>
References: <pgauj587ym5drb1i5geo6hem.1354192360769@email.android.com> <CAAJ++qFJK_Crfj7_A6a4E8sPvq6CLYtKZOdDaVEcAp86q7H7wA@mail.gmail.com> <CAAz=sckP2w6-gMfVg-xBBVPcM7wDSerbzdbYXeOY_OpmdbToDQ@mail.gmail.com> <B1DBA05D-BB17-4BBE-893B-490199FC5F5E@ve7jtb.com> <CAAJ++qFfgi2Eu_MBe3drL1zRZJ=x0b5gVgNJ10j6TFimOta4qw@mail.gmail.com> <1268667C-895D-4273-94C8-E057D64FD349@josephholsten.com> <014901cdce6a$6943aaf0$3bcb00d0$@packetizer.com> <CAJu8rwX2n54P9prxrqzXZnc-5WeyFoHxhYcD=fvLkfh9FCUU7Q@mail.gmail.com> <016f01cdce6e$8a168af0$9e43a0d0$@packetizer.com> <CAJu8rwUvSFnhh171Xm90k1wm5bLKo_SGqs7L+cQ_QioHWzqNgQ@mail.gmail.com> <025701cdce84$a8a1bfb0$f9e53f10$@packetizer.com> <CAADDC71-1FBB-4411-B61A-359F878724A6@gmail.com> <036301cdceb1$3ae93e30$b0bbba90$@packetizer.com> <CAAJ++qGmx3hYt3f2kQ8BaVRe4ggA8F5jLyB1F-zawF-pkMA0dw@mail.gmail.com> <039001cdceb4$b65c7480$23155d80$@packetizer.com> <9AE8993E-92CB-499B-AC47-C7477FF765CC@gmail.com> <CAA1s49Vu+LKXr36wheH3qJZcGLyjGuJrD_xs7eXaYjVC8mUz=A@mail.gmail.com> <CAK3OfOj5fqoybKqvdruwAqOhjdp5VxSMAKK1NdDfdn+OEVOSFw@mail.gmail.com> <CAK3OfOi-jM3J=fVqNrO-6f5qVLbqQBMFJPwFBZQO8CVQv3VK+g@mail.gmail.com> <CAAz=sc=wER+3jANNhwq7q2FSveUpPL3fW9RAF7ZAx=czSQVqbQ@mail.gmail.com> <073201cdd041$d2050b50$760f21f0$@packetizer.com> <B504193B-EE58-455F-9851-6A45E56BF828@ve7jtb.com> <CAMQ7dq4tfF08=y0D-5bA9SONPe1xHstXdm2=QqkSD_trRE1Jzw@mail.gmail.com> <078801cdd067$4cdfb2b0$e69f1810$@packetizer.com> <0BB05AB9-6D89-4CBC-8724-B1744BE95A94@gmail.com> <085801cdd103$ee1f2ce0$ca5d86a0$@packetizer.com> <C466889C-5A54-44D3-B8F5-3CAC4A1BA2E0@gmail.com>
Date: Sun, 02 Dec 2012 22:56:22 -0600
Message-ID: <CAK3OfOj3riX7hR_vjNNLjsssbhdmpG+BYYdkqXBDTUeSOSwTjQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: apps-discuss@ietf.org, webfinger@googlegroups.com, Joseph Holsten <joseph@josephholsten.com>
Subject: Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP
Precedence: list

On Sun, Dec 2, 2012 at 9:24 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> I agree there are many use cases where the security is not essential.
>
> My question was what do we lose by requiring TLS?

Some hosting sites can't handle it well at all.  Either they require
server certs that can serve many domains or they require per-domain IP
addresses because SNI is not well supported.

Many clients don't do proper server cert validation.  "I used TLS" !=
"I got it securely".

> There is a real latency and extra code in dealing with the fallback as currently specified.

But is that relevant here?

> For example, we lose being able to use a simple CURL command to get a JRD.

So you need an if and two invocations of curl.

Nico
--

Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Dick Hardt
Re: [apps-discuss] Webfinger goals doc Mike Jones
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Sandeep Shetty
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Melvin Carvalho
Re: [apps-discuss] Webfinger goals doc Paul Hoffman
Re: [apps-discuss] Webfinger goals doc Dick Hardt
Re: [apps-discuss] Webfinger goals doc Ben Laurie
[apps-discuss] Webfinger goals doc Brad Fitzpatrick
Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Phillip Hallam-Baker
Re: [apps-discuss] Webfinger goals doc Joe Gregorio
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc William Mills
Re: [apps-discuss] Webfinger goals doc Martin J. Dürst
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Evan Prodromou
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc Blaine Cook
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc William Mills
Re: [apps-discuss] Webfinger goals doc Joseph Holsten
Re: [apps-discuss] Webfinger goals doc Evan Prodromou
Re: [apps-discuss] Webfinger goals doc Tim Bray
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Evan Prodromou
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc Evan Prodromou
Re: [apps-discuss] Webfinger goals doc William Mills
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Evan Prodromou
Re: [apps-discuss] Webfinger goals doc William Mills
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc John Panzer
Re: [apps-discuss] Webfinger goals doc William Mills
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Joseph Anthony Pasquale Holsten
Re: [apps-discuss] Webfinger goals doc John Panzer
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Joseph Holsten
Re: [apps-discuss] Webfinger goals doc Dick Hardt
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc William Mills
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
[apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
Re: [apps-discuss] Webfinger goals doc Mike Jones
Re: [apps-discuss] Webfinger goals doc John Panzer
Re: [apps-discuss] Webfinger goals doc t.petch
Re: [apps-discuss] Webfinger goals doc Bob Wyman
[apps-discuss] R: Webfinger goals doc Goix Laurent Walter
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
Re: [apps-discuss] Webfinger goals doc Tim Bray
Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
Re: [apps-discuss] Webfinger goals doc Zellyn Hunter
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc Bob Wyman
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] Webfinger goals doc Paul E. Jones
Re: [apps-discuss] Webfinger goals doc John Bradley
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP James M Snell
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP James M Snell
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Bob Wyman
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Breno de Medeiros
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Martin Thomson
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Breno de Medeiros
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Blaine Cook
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP William Mills
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Evan Prodromou
Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
[apps-discuss] Options... Re: HTTPS-only vs HTTPS… William Mills
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Mikael Nordfeldth
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Melvin Carvalho
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Zellyn Hunter
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Panzer
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Martin J. Dürst
Re: [apps-discuss] Web Finger HTTPS-only vs HTTPS… John Bradley
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Evan Prodromou
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Panzer
Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick