IETF Logo Mail Archive

Re: Fwd: New Version Notification for draft-nottingham-http2-encryption-02.txt

Eliot Lear <lear@cisco.com> Tue, 17 December 2013 19:25 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CF811AE2C8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 17 Dec 2013 11:25:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.739
X-Spam-Level:
X-Spam-Status: No, score=-14.739 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vIHCVrKKdRNQ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 17 Dec 2013 11:24:56 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 0546D1AE30A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 17 Dec 2013 11:24:51 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Vt0ER-0003kc-PR for ietf-http-wg-dist@listhub.w3.org; Tue, 17 Dec 2013 19:23:03 +0000
Resent-Date: Tue, 17 Dec 2013 19:23:03 +0000
Resent-Message-Id: <E1Vt0ER-0003kc-PR@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <lear@cisco.com>) id 1Vt0E4-0003jl-5h for ietf-http-wg@listhub.w3.org; Tue, 17 Dec 2013 19:22:40 +0000
Received: from aer-iport-2.cisco.com ([173.38.203.52]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <lear@cisco.com>) id 1Vt0Dy-0006YL-Lz for ietf-http-wg@w3.org; Tue, 17 Dec 2013 19:22:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5452; q=dns/txt; s=iport; t=1387308154; x=1388517754; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=e6Qyl45zO7AxZVi58fa9RxBxU6yqWzVK/acF8xbJSKI=; b=ISmIqQT/2+UN2IQCv+phMTcaXnylJOdjUPIg5KdvgoFDbkCl7gddM0xD XxgxZ0bC0r5dKoP/FG7o2uirZgQeVregasn4NsoFgVB7I1GuUhaUc2FQO J45FsEHhSO2wvoXaNpSBmRlG9Inp4Co6H3UYQipcxeFGII15GMHTqilvR 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Aj4FANejsFKQ/khL/2dsb2JhbABZgwo4g1i1F0+BHxZ0giUBAQEDASNUAQEFCwkCBBQJFgsCAgkDAgECAUUGDQEHAQGHeAgNlRebaZhUEwSOOlgHgm6BSASYFpIUgyw7gSw
X-IronPort-AV: E=Sophos; i="4.95,502,1384300800"; d="scan'208,217"; a="1764864"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by aer-iport-2.cisco.com with ESMTP; 17 Dec 2013 19:22:07 +0000
Received: from ams3-vpn-dhcp4346.cisco.com (ams3-vpn-dhcp4346.cisco.com [10.61.80.249]) by ams-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id rBHJM6Fp000324 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Dec 2013 19:22:07 GMT
Message-ID: <52B0A45E.2010901@cisco.com>
Date: Tue, 17 Dec 2013 20:22:06 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: "\"William Chan (陈智昌)\"" <willchan@chromium.org>
CC: Adrien de Croy <adrien@qbik.com>, Brian Smith <brian@briansmith.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Paul Hoffman <paul.hoffman@gmail.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
References: <CAFewVt6j0yaRboARj=wpaVO2s9M6j7_za-GXLp9ZWqkFtSys8A@mail.gmail.com> <eme0c50675-de24-47c2-a612-28ffe926e3fd@bodybag> <CAA4WUYj6MCnqLL8-uK_V6WUQv+f1S_DEMio+wLB_DC9CY9xUgA@mail.gmail.com> <52B02095.2010508@cisco.com> <CAA4WUYiZWNtJupQ-6bXO3aNXz1B0qBKoTX9-z-XEjdzTptTLDQ@mail.gmail.com>
In-Reply-To: <CAA4WUYiZWNtJupQ-6bXO3aNXz1B0qBKoTX9-z-XEjdzTptTLDQ@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/alternative; boundary="------------040404040509070902040904"
Received-SPF: pass client-ip=173.38.203.52; envelope-from=lear@cisco.com; helo=aer-iport-2.cisco.com
X-W3C-Hub-Spam-Status: No, score=-11.0
X-W3C-Hub-Spam-Report: AWL=-2.853, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.536, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5
X-W3C-Scan-Sig: lisa.w3.org 1Vt0Dy-0006YL-Lz 12849bae42b1cb085bf4c2094853097f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Fwd: New Version Notification for draft-nottingham-http2-encryption-02.txt
Archived-At: <http://www.w3.org/mid/52B0A45E.2010901@cisco.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/21656
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Will,

I'm a pretty simple guy and what will follow is simple logic.  But maybe
it's wrong (indicating I'm simpler still).  See below, please.

On 12/17/13 6:36 PM, William Chan (陈智昌) wrote:
> Did you mean CAs that offered free certs? Brian listed this earlier already.

That list was problematic.  It does not provide for general availability
of certificates, but for open source projects, and other limited groups,
an "inferior product" as Brian called it.

> And I know there are DANE fans here...I don't really want to talk
> about it here since it'll distract from the conversation. Please ask
> at https://code.google.com/p/chromium/issues/detail?id=50874. But in
> short, I believe we have no plans to implement.

Bringing this back around to draft-nottingham-http2-encryption, the
document poses a problematic issue around what is mandatory to
implement.  Some browser developers have made it clear that they're not
going to do unencrypted http2.  If reality is that HTTP2 will only be
implemented by browsers via TLS, then there are exactly to paths one can
follow:

1.  Everyone can and will use TLS in all circumstances; or
2.  Not everyone can and will use TLS in all circumstances, and hence
HTTP2 is not a replacement for HTTP.

Let us assume that (1) is the intended target.  In that case, we have
the following options:

 1. Demonstrate that free certificates are generally available,
 2. Use unauthenticated or opportunistic encryption,
 3. See that DANE is delivered, or
 4. develop another option.

Personally I don't believe (A) and you and I have thus far rejected
(B)[*].  That leaves (C), which I personally like and you have no plan
to implement, or (D).  If you would like to avoid the distraction,
kindly correct my understanding?  Maybe you don't grant assumption of
(1).  I don't think others do, but the charter sort of pushes that
point.  Anyway, this is the reason we keep circling back to DANE, as I
see it.

Eliot

[*] I might be convinced that some form of encryption is yet a good idea.

v2.23.0 | Report a Bug | By Email