Folks, On 11/16/2013 09:47 PM, Phillip Hallam-Baker wrote: > I like TLS everywhere with strong authentication. The idea of weakening the > authentication requirements further and calling the result TLS worries me a > lot.
TLS has include anon-DH from the get go. Self-signed certificate deployments with TLS amount to 10% of all web sites (says [1]). Only about 3 times that number use certs that chain up to a browser-trusted CA of one sort or another. So a premise that all TLS deployments have strong server authentication today is wrong. And I've objected to PHB saying "weakening" elsewhere, [2] so I won't repeat that here. And to the extent this discussion is about http/tls, that belongs on the httpbis wg list, where there's been a firestorm of discussion on exactly that topic. So, please let's not start another http/tls thread here, which is what this seems to be turning in to, even though Phill asked something else. Other foo/tls protocols will also soon have a separate venue [3] and we have a TLS working group. So I see little left to discuss about TLS on this list to be honest. Finally, I note the subject line here said "without TLS" and not "debate TLS on yet another list" :-) S. [1] http://w3techs.com/technologies/overview/ssl_certificate/all [2] http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/0928.html [3] https://datatracker.ietf.org/doc/charter-ietf-uta/ _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
