Re: [perpass] Unauthenticated, ephemeral keying in HTTP/1.0 without TLS
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 17 November 2013 15:39 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1DC411E8E4E for <perpass@ietfa.amsl.com>; Sun, 17 Nov 2013 07:39:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFm7Ok63RxB5 for <perpass@ietfa.amsl.com>; Sun, 17 Nov 2013 07:39:54 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 5AB5711E8E45 for <perpass@ietf.org>; Sun, 17 Nov 2013 07:39:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0AC81BE3F; Sun, 17 Nov 2013 15:39:50 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M+LOc5QkIiTN; Sun, 17 Nov 2013 15:39:48 +0000 (GMT)
Received: from [10.87.48.12] (unknown [86.42.30.223]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 85E30BE33; Sun, 17 Nov 2013 15:39:48 +0000 (GMT)
Message-ID: <5288E344.1020008@cs.tcd.ie>
Date: Sun, 17 Nov 2013 15:39:48 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>, perpass <perpass@ietf.org>
References: <CAMm+Lwg-AF9fZ5=f5W8JDmiCe=U7Uyxso_bdHGaQhddsQ+aGaw@mail.gmail.com>
In-Reply-To: <CAMm+Lwg-AF9fZ5=f5W8JDmiCe=U7Uyxso_bdHGaQhddsQ+aGaw@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [perpass] Unauthenticated, ephemeral keying in HTTP/1.0 without TLS
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 15:40:03 -0000
Folks, On 11/16/2013 09:47 PM, Phillip Hallam-Baker wrote: > I like TLS everywhere with strong authentication. The idea of weakening the > authentication requirements further and calling the result TLS worries me a > lot. TLS has include anon-DH from the get go. Self-signed certificate deployments with TLS amount to 10% of all web sites (says [1]). Only about 3 times that number use certs that chain up to a browser-trusted CA of one sort or another. So a premise that all TLS deployments have strong server authentication today is wrong. And I've objected to PHB saying "weakening" elsewhere, [2] so I won't repeat that here. And to the extent this discussion is about http/tls, that belongs on the httpbis wg list, where there's been a firestorm of discussion on exactly that topic. So, please let's not start another http/tls thread here, which is what this seems to be turning in to, even though Phill asked something else. Other foo/tls protocols will also soon have a separate venue [3] and we have a TLS working group. So I see little left to discuss about TLS on this list to be honest. Finally, I note the subject line here said "without TLS" and not "debate TLS on yet another list" :-) S. [1] http://w3techs.com/technologies/overview/ssl_certificate/all [2] http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/0928.html [3] https://datatracker.ietf.org/doc/charter-ietf-uta/
- [perpass] Unauthenticated, ephemeral keying in HT… Phillip Hallam-Baker
- Re: [perpass] Unauthenticated, ephemeral keying i… Brian E Carpenter
- Re: [perpass] Unauthenticated, ephemeral keying i… Ted Lemon
- Re: [perpass] Unauthenticated, ephemeral keying i… Brian E Carpenter
- Re: [perpass] Unauthenticated, ephemeral keying i… Ted Lemon
- Re: [perpass] Unauthenticated, ephemeral keying i… Learmonth, Iain Ross
- Re: [perpass] Unauthenticated, ephemeral keying i… Stephen Farrell
- [perpass] CDNs as wiretaps [Unauthenticated, ephe… Brian E Carpenter
- Re: [perpass] TLS discussion Learmonth, Iain Ross
- Re: [perpass] TLS discussion Stephen Farrell
- Re: [perpass] TLS discussion Phillip Hallam-Baker
- Re: [perpass] TLS discussion Stephen Farrell
- Re: [perpass] CDNs as wiretaps [Unauthenticated, … Eric Burger
- Re: [perpass] CDNs as wiretaps [Unauthenticated, … Learmonth, Iain Ross
- Re: [perpass] CDNs as wiretaps [Unauthenticated, … Stephen Kent