Some sanity appears: On Nov 13, 2013, at 1:57 PM, Mike Bishop <michael.bis...@microsoft.com> wrote:
> While the language may be strong, I agree with the sentiment that they are > distinct mechanisms. Mark has proposed a mechanism, independent of HTTP/2.0, > which can be used to migrate from an HTTP connection to an HTTPS connection. > That’s a separate proposal from HTTP/2.0. The actual “security” of HTTPS is > entirely dependent on TLS and completely orthogonal to HTTP/2.0. > > From: Tao Effect [mailto:cont...@taoeffect.com] > Sent: Wednesday, November 13, 2013 10:54 AM > To: Martin Thomson > Cc: "William Chan (陈智昌)"; Mike Belshe; Tim Bray; James M Snell; Mark > Nottingham; HTTP Working Group > Subject: Re: Moving forward on improving HTTP's security > > OK, I agree with this sentiment. > > What worries me is the emphasis that I see being placed on HTTP 2.0 being > "secure". > > Perhaps it is somewhat of a marketing problem, but nevertheless, it's a > marketing problem with potentially serious security consequences. > > If HTTP/2.0 is flexible enough to allow for very different types of > authentication practices than the ones currently done with the PKI/CA system, > then I would support it. > > Just make it _clear_ then that HTTP/2.0 is not about improving security. > > If this is not made crystal clear, then people will continue to see news > headlines on tech sites that give people the impression that something is > actually being done to improve the internet's security with this "move to > HTTP 2.0!", which is horse sh*t. > > - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography