> Other foo/tls protocols will also soon have a separate venue [3] > and we have a TLS working group. So I see little left to discuss > about TLS on this list to be honest.
> [3] https://datatracker.ietf.org/doc/charter-ietf-uta/ I agree that the HTTP/TLS discussion should be moved to the uta (Using TLS in Applications) mailing list, when one exists, with regard to authentication. It protects far more against active attacks and this list is about preventing passive mass monitoring being useful. I think that the discussion relating to the use of TLS for encryption, its effect on proxies and CDNs, and the fact that CDNs are a privacy issue still need discussion here and are relevant to this list. The main question: are there times when we would ever want HTTP traffic to not be encrypted? The secondary question is: how does the trust model for CDNs be improved? I don't believe that third-party CDNs that do caching and have access to private information are a good idea. Maybe we can come up with some best practices like only proxy static content but directly contact for dynamic content that could contain private information and declaring in the cert that you're contacting a CDN instead of the actual site? But then there are no guarantees that people are following them. Iain. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
