Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP
Nico Williams <nico@cryptonector.com> Mon, 03 December 2012 04:56 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DB3221F841B for <apps-discuss@ietfa.amsl.com>; Sun, 2 Dec 2012 20:56:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OzLIJitMkiPb for <apps-discuss@ietfa.amsl.com>; Sun, 2 Dec 2012 20:56:24 -0800 (PST)
Received: from homiemail-a72.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by ietfa.amsl.com (Postfix) with ESMTP id D35DA21F841A for <apps-discuss@ietf.org>; Sun, 2 Dec 2012 20:56:24 -0800 (PST)
Received: from homiemail-a72.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTP id 8D8126B0078 for <apps-discuss@ietf.org>; Sun, 2 Dec 2012 20:56:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=0CKnr28iEmFi+4jeCqTe z61WZ48=; b=MupveVfwGWOyvjlo0OUUSP67jHQifLwb2XUmm2GFeDdEkXXVbt1u Ejk8tk/oI1jaSZvswBWaav6ML6pIpvoHwqKxS21z73GKGgUWVymiVmDjaHk7WmrW Sz9e7V/jwjDTy4a12TK+/yfg8cy3za7IMNnL0YM2YegOUyJNez7a98I=
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTPSA id 420816B0070 for <apps-discuss@ietf.org>; Sun, 2 Dec 2012 20:56:24 -0800 (PST)
Received: by mail-we0-f172.google.com with SMTP id r3so999784wey.31 for <apps-discuss@ietf.org>; Sun, 02 Dec 2012 20:56:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.180.97.137 with SMTP id ea9mr7382215wib.13.1354510582837; Sun, 02 Dec 2012 20:56:22 -0800 (PST)
Received: by 10.216.192.207 with HTTP; Sun, 2 Dec 2012 20:56:22 -0800 (PST)
In-Reply-To: <C466889C-5A54-44D3-B8F5-3CAC4A1BA2E0@gmail.com>
References: <pgauj587ym5drb1i5geo6hem.1354192360769@email.android.com> <CAAJ++qFJK_Crfj7_A6a4E8sPvq6CLYtKZOdDaVEcAp86q7H7wA@mail.gmail.com> <CAAz=sckP2w6-gMfVg-xBBVPcM7wDSerbzdbYXeOY_OpmdbToDQ@mail.gmail.com> <B1DBA05D-BB17-4BBE-893B-490199FC5F5E@ve7jtb.com> <CAAJ++qFfgi2Eu_MBe3drL1zRZJ=x0b5gVgNJ10j6TFimOta4qw@mail.gmail.com> <1268667C-895D-4273-94C8-E057D64FD349@josephholsten.com> <014901cdce6a$6943aaf0$3bcb00d0$@packetizer.com> <CAJu8rwX2n54P9prxrqzXZnc-5WeyFoHxhYcD=fvLkfh9FCUU7Q@mail.gmail.com> <016f01cdce6e$8a168af0$9e43a0d0$@packetizer.com> <CAJu8rwUvSFnhh171Xm90k1wm5bLKo_SGqs7L+cQ_QioHWzqNgQ@mail.gmail.com> <025701cdce84$a8a1bfb0$f9e53f10$@packetizer.com> <CAADDC71-1FBB-4411-B61A-359F878724A6@gmail.com> <036301cdceb1$3ae93e30$b0bbba90$@packetizer.com> <CAAJ++qGmx3hYt3f2kQ8BaVRe4ggA8F5jLyB1F-zawF-pkMA0dw@mail.gmail.com> <039001cdceb4$b65c7480$23155d80$@packetizer.com> <9AE8993E-92CB-499B-AC47-C7477FF765CC@gmail.com> <CAA1s49Vu+LKXr36wheH3qJZcGLyjGuJrD_xs7eXaYjVC8mUz=A@mail.gmail.com> <CAK3OfOj5fqoybKqvdruwAqOhjdp5VxSMAKK1NdDfdn+OEVOSFw@mail.gmail.com> <CAK3OfOi-jM3J=fVqNrO-6f5qVLbqQBMFJPwFBZQO8CVQv3VK+g@mail.gmail.com> <CAAz=sc=wER+3jANNhwq7q2FSveUpPL3fW9RAF7ZAx=czSQVqbQ@mail.gmail.com> <073201cdd041$d2050b50$760f21f0$@packetizer.com> <B504193B-EE58-455F-9851-6A45E56BF828@ve7jtb.com> <CAMQ7dq4tfF08=y0D-5bA9SONPe1xHstXdm2=QqkSD_trRE1Jzw@mail.gmail.com> <078801cdd067$4cdfb2b0$e69f1810$@packetizer.com> <0BB05AB9-6D89-4CBC-8724-B1744BE95A94@gmail.com> <085801cdd103$ee1f2ce0$ca5d86a0$@packetizer.com> <C466889C-5A54-44D3-B8F5-3CAC4A1BA2E0@gmail.com>
Date: Sun, 02 Dec 2012 22:56:22 -0600
Message-ID: <CAK3OfOj3riX7hR_vjNNLjsssbhdmpG+BYYdkqXBDTUeSOSwTjQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: apps-discuss@ietf.org, webfinger@googlegroups.com, Joseph Holsten <joseph@josephholsten.com>
Subject: Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2012 04:56:25 -0000
On Sun, Dec 2, 2012 at 9:24 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > I agree there are many use cases where the security is not essential. > > My question was what do we lose by requiring TLS? Some hosting sites can't handle it well at all. Either they require server certs that can serve many domains or they require per-domain IP addresses because SNI is not well supported. Many clients don't do proper server cert validation. "I used TLS" != "I got it securely". > There is a real latency and extra code in dealing with the fallback as currently specified. But is that relevant here? > For example, we lose being able to use a simple CURL command to get a JRD. So you need an if and two invocations of curl. Nico --
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Dick Hardt
- Re: [apps-discuss] Webfinger goals doc Mike Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Sandeep Shetty
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Melvin Carvalho
- Re: [apps-discuss] Webfinger goals doc Paul Hoffman
- Re: [apps-discuss] Webfinger goals doc Dick Hardt
- Re: [apps-discuss] Webfinger goals doc Ben Laurie
- [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Phillip Hallam-Baker
- Re: [apps-discuss] Webfinger goals doc Joe Gregorio
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Martin J. Dürst
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Blaine Cook
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Joseph Holsten
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc Tim Bray
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc John Panzer
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Joseph Anthony Pasquale Holsten
- Re: [apps-discuss] Webfinger goals doc John Panzer
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Joseph Holsten
- Re: [apps-discuss] Webfinger goals doc Dick Hardt
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] Webfinger goals doc Mike Jones
- Re: [apps-discuss] Webfinger goals doc John Panzer
- Re: [apps-discuss] Webfinger goals doc t.petch
- Re: [apps-discuss] Webfinger goals doc Bob Wyman
- [apps-discuss] R: Webfinger goals doc Goix Laurent Walter
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Tim Bray
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Zellyn Hunter
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Bob Wyman
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP James M Snell
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP James M Snell
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Bob Wyman
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Breno de Medeiros
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Martin Thomson
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Breno de Medeiros
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Blaine Cook
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP William Mills
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- [apps-discuss] Options... Re: HTTPS-only vs HTTPS… William Mills
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Mikael Nordfeldth
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Melvin Carvalho
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Zellyn Hunter
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Panzer
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Martin J. Dürst
- Re: [apps-discuss] Web Finger HTTPS-only vs HTTPS… John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Evan Prodromou
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Panzer
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick