Re: [hybi] On TLS-only Approaches
Adam Barth <ietf@adambarth.com> Sun, 22 August 2010 20:44 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9284E3A68B1 for <hybi@core3.amsl.com>; Sun, 22 Aug 2010 13:44:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.125
X-Spam-Level:
X-Spam-Status: No, score=-2.125 tagged_above=-999 required=5 tests=[AWL=-0.148, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rc9P8Xj7rn8O for <hybi@core3.amsl.com>; Sun, 22 Aug 2010 13:44:32 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 5E67C3A6873 for <hybi@ietf.org>; Sun, 22 Aug 2010 13:44:32 -0700 (PDT)
Received: by ywi4 with SMTP id 4so2047208ywi.31 for <hybi@ietf.org>; Sun, 22 Aug 2010 13:45:06 -0700 (PDT)
Received: by 10.101.138.8 with SMTP id q8mr4333823ann.164.1282509905790; Sun, 22 Aug 2010 13:45:05 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id x33sm9340971ana.33.2010.08.22.13.45.03 (version=SSLv3 cipher=RC4-MD5); Sun, 22 Aug 2010 13:45:04 -0700 (PDT)
Received: by iwn3 with SMTP id 3so5529891iwn.31 for <hybi@ietf.org>; Sun, 22 Aug 2010 13:45:03 -0700 (PDT)
Received: by 10.231.119.229 with SMTP id a37mr4932980ibr.169.1282509903152; Sun, 22 Aug 2010 13:45:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.187.218 with HTTP; Sun, 22 Aug 2010 13:44:33 -0700 (PDT)
In-Reply-To: <AANLkTin3r+f1Fn_X5O401PSANRrcgttLR-P4qMJZWKtV@mail.gmail.com>
References: <AANLkTikJcbyEZ-Y0FOXni89L8Awa_UBmMMDvLgsOuoou@mail.gmail.com> <AANLkTin3r+f1Fn_X5O401PSANRrcgttLR-P4qMJZWKtV@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sun, 22 Aug 2010 13:44:33 -0700
Message-ID: <AANLkTinZV5zhOb+_p=MjcCbqKttVBHnva85WikuB=g=D@mail.gmail.com>
To: John Tamplin <jat@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Server-Initiated HTTP <hybi@ietf.org>
Subject: Re: [hybi] On TLS-only Approaches
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Aug 2010 20:44:34 -0000
On Sun, Aug 22, 2010 at 12:49 PM, Roberto Peon <fenix@google.com> wrote: > There are downsides from the pure TLS approach, which we've not yet figured > out how to overcome on the SPDY side. > It boils down to ensuring that schools and other institutions can *easily* > perform MITM monitoring/censoring. Hum... I'm not sure we should kowtow to proponents of censorship. > We may already be facing these problems as we deploy a new protocol which > their proxies don't understand. > If we allowed/configured the NULL cipher for TLS, then MITM proxies could > still monitor, if perhaps not censor, but you're asking for trouble there. See below. On Sun, Aug 22, 2010 at 1:10 PM, John Tamplin <jat@google.com> wrote: > We have people complaining about the complexity of doing an extra comparison > to interpret the length of a frame -- it seems to me that requiring a TLS > implementation is unacceptable. Think about all the small embedded devices > which run a web server on very underpowered machines -- should they all be > required to implement TLS? At the least, we'll probably want to offer a version that doesn't check the server's certificate so folks can use the protocol without paying for a CA-validated certificate. If embedded performance today is important, we can certainly consider offering a simple ciphersuite with this version (e.g., RC4). Adam
- Re: [hybi] On TLS-only Approaches Adam Barth
- Re: [hybi] On TLS-only Approaches John Tamplin
- [hybi] On TLS-only Approaches Eric Rescorla
- Re: [hybi] On TLS-only Approaches Roberto Peon
- Re: [hybi] On TLS-only Approaches John Tamplin
- Re: [hybi] On TLS-only Approaches Adam Barth
- Re: [hybi] On TLS-only Approaches John Tamplin
- Re: [hybi] On TLS-only Approaches Adam Barth
- Re: [hybi] On TLS-only Approaches Mark Nottingham
- Re: [hybi] On TLS-only Approaches Adam Barth
- Re: [hybi] On TLS-only Approaches Maciej Stachowiak
- Re: [hybi] On TLS-only Approaches Maciej Stachowiak
- Re: [hybi] On TLS-only Approaches Maciej Stachowiak
- Re: [hybi] On TLS-only Approaches John Tamplin
- Re: [hybi] On TLS-only Approaches Adam Barth
- Re: [hybi] On TLS-only Approaches Mike Belshe
- Re: [hybi] On TLS-only Approaches Mark Nottingham
- Re: [hybi] On TLS-only Approaches Brian Smith
- Re: [hybi] On TLS-only Approaches Shelby Moore
- Re: [hybi] On TLS-only Approaches Eric Rescorla
- Re: [hybi] On TLS-only Approaches Daniel Stenberg