IETF Logo Mail Archive

Re: New Version Notification for draft-nottingham-http2-encryption-03.txt

William Chan (陈智昌) <willchan@chromium.org> Wed, 21 May 2014 08:02 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EAFA1A0835 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 21 May 2014 01:02:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.326
X-Spam-Level:
X-Spam-Status: No, score=-5.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqenOZabi_kN for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 21 May 2014 01:02:24 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7E1F1A03A6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 21 May 2014 01:02:24 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Wn1TQ-0007Vg-PC for ietf-http-wg-dist@listhub.w3.org; Wed, 21 May 2014 08:02:04 +0000
Resent-Date: Wed, 21 May 2014 08:02:04 +0000
Resent-Message-Id: <E1Wn1TQ-0007Vg-PC@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <willchan@google.com>) id 1Wn1TF-0007T3-Ts for ietf-http-wg@listhub.w3.org; Wed, 21 May 2014 08:01:53 +0000
Received: from mail-vc0-f170.google.com ([209.85.220.170]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <willchan@google.com>) id 1Wn1TE-0003dj-KL for ietf-http-wg@w3.org; Wed, 21 May 2014 08:01:53 +0000
Received: by mail-vc0-f170.google.com with SMTP id lf12so2057718vcb.1 for <ietf-http-wg@w3.org>; Wed, 21 May 2014 01:01:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=goBE/GbR7ZFAD1hDKnCxamOLNDD9dkUK/WvERpTIcQk=; b=mAqCoV6ht2lOgPt+ZaHwHhWO66B6yWXTxTuvgX7NCcfDnPLcBeKdY0qwboDc83VxeR a7GSruLDBOuVh0wb78biqEPDREza8UL1JCuT5N3cqnUBzD2nfyvrOUFP/BeSz8HE10Fn ZSPxTsvU3Ybyff4z+0XvZ/iWvCmuI+8DVSTSjsjf7K6bj0GaPS06hMhdTGlFrSIEnl5k tFyqoik3h1DhJCi+Nsxnj52DlxPjPMPuX/ihgtW4p+YC0/fZiAL3SCIaa9UL2IKfKG71 f7QjLqLvwEHTXs4viE7mPBBBbin09GY+8PRjFpPygFFyKw4RCJzGCICMsN6ilrCjpJJJ Z2bA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=goBE/GbR7ZFAD1hDKnCxamOLNDD9dkUK/WvERpTIcQk=; b=jaUdivFZDL2EMUFcmHOJ6Cv0SzjzdprxHWVWxgCBWtBUS0imJ9EWDm293nVp29QCxZ wOcqe0xt6HJNx0AqZ2/Fzsz/lnPL6xsJEmNc/uJN73AdRq1aKXHW4vu+n3U/fFrrW3Np BhH4NCpmmBVOgZhew+WXdZZqsIikGMyWmhcyg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=goBE/GbR7ZFAD1hDKnCxamOLNDD9dkUK/WvERpTIcQk=; b=hTZ2rM5S06KbDc1VjecnZU43Ro8P/arxp2ZTIM2rmyxkwHZOiSlUdVDyefT/VoiAmS 1adWq/daNcESdfYk1OYkKZGiCFohNf5P1BN01ZQ4UckNtbVTgEqbTo9A59/Qpw8orvca ii8ZtZ8kOYHWFKVQ3qo2NLXaOpnso8Ol94bqBtPP2pX9myF4OK8yKm00CZwEK9IyJR5u ZVDb2KVYQK8QMoW5730U0RzrwUMEKeZF1w/Nd4ta29LjB+v97xLs4c1WFq69sJogr6l6 8INDeiyqwKp9oBrlIBh0P9hrD+wk5A37DusFRzpESjkVNTw5XyXYMkAjeqTDWOG0zkzm oY3g==
X-Gm-Message-State: ALoCoQmopNltAnH/CnOKH0R3df5zXaR0ZujgYdgoz6tvWlbqVf3SXJSPhVqto+irAAXfumsmmveG
MIME-Version: 1.0
X-Received: by 10.52.190.138 with SMTP id gq10mr22519vdc.47.1400659286263; Wed, 21 May 2014 01:01:26 -0700 (PDT)
Sender: willchan@google.com
Received: by 10.52.227.10 with HTTP; Wed, 21 May 2014 01:01:26 -0700 (PDT)
In-Reply-To: <op.xf66wa14iw9drz@uranium.arthotel.pl>
References: <20140520034054.10225.92036.idtracker@ietfa.amsl.com> <5905C797-A8E2-417B-94AB-589C174382BA@mnot.net> <CAPik8yb2P5RoGMLB=OtcbnpgZd-if9FpEp0HcLQcyVMtie4Yig@mail.gmail.com> <CABkgnnUJ+eDyjJteYj0pDQyy3k-j+DC2io71P-p8F=ufvDEUwg@mail.gmail.com> <op.xf6j5aubiw9drz@uranium.oslo.osa> <CAA4WUYhXw--Ugjc2f2sxJWVq0y67p+NvWVog1TewWB9+1qGzsA@mail.gmail.com> <op.xf66wa14iw9drz@uranium.arthotel.pl>
Date: Wed, 21 May 2014 01:01:26 -0700
X-Google-Sender-Auth: Tm0LY2ePbj__3NtLttpFYqM926o
Message-ID: <CAA4WUYhfB8uo4cBgJVqNQSQ-HBncvFY0boa7GhiDwy6gnYVEqg@mail.gmail.com>
From: "William Chan (陈智昌)" <willchan@chromium.org>
To: Martin Nilsson <nilsson@opera.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="089e013a13b035b2e904f9e467f4"
Received-SPF: pass client-ip=209.85.220.170; envelope-from=willchan@google.com; helo=mail-vc0-f170.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.795, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=0.726, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01
X-W3C-Scan-Sig: lisa.w3.org 1Wn1TE-0003dj-KL 2ed7a5a101e7e6bbabe33a47da0c6931
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Version Notification for draft-nottingham-http2-encryption-03.txt
Archived-At: <http://www.w3.org/mid/CAA4WUYhfB8uo4cBgJVqNQSQ-HBncvFY0boa7GhiDwy6gnYVEqg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/23732
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

But transport security != web security, there is plenty of practical
difference. Different schemes implies different web origins. The webpage is
*not* equivalent with if the page were loaded as https. Now you get
differences in same origin policies and CORS and referrer policies and blah
blah blah.

Not to mention it'd be a lame user experience to start out with a green
lock and then when an insecure resource is loaded (which we'd have to
allow, unless we want to block mixed content for opportunistically
encrypted webpages) to remove the security indicator. We should avoid
confusing the user with changing security indicators during a page load.



On Tue, May 20, 2014 at 11:56 PM, Martin Nilsson <nilsson@opera.com> wrote:

>  On Wed, 21 May 2014 00:55:42 +0200, William Chan (陈智昌) <
> willchan@chromium.org> wrote:
>
>
> Transport security is very different from web security. For example, only
> some of the resources in a webpage may be opportunistically encrypted with
> strong authentication. If there's active content like script that's loaded
> without transport security, that can compromise the entire page.
>
>
> Yes, of course. I'm asking about the case where everything is equivalent
> with if the page were loaded as https. Certificates check out, all
> dependencies are secure, etc. Section 6.1 states that the page MUST NOT be
> indicated to be secure, even though there is no practical difference.
>
>
> /Martin Nilsson
>
> --
> Using Opera's revolutionary email client: http://www.opera.com/mail/
>

v2.23.0 | Report a Bug | By Email