ietf
[Top] [All Lists]

Re: https at ietf.org

2013-11-25 06:09:00
I like where this has ended up. I am pretty convinced that HTTPS is mostly a 
dead end because of the CA problem. However, getting RFC 2817 really, really 
out there would be a huge advance. Like a lot of security stuff, people need a 
compelling reason to deploy *or* they will use it if it is “just there.” Let us 
make it “just be there."

On Nov 8, 2013, at 2:40 AM, Dave Cridland <dave(_at_)cridland(_dot_)net> wrote:

On Thu, Nov 7, 2013 at 11:28 PM, Pranesh Prakash 
<pranesh(_at_)cis-india(_dot_)org> wrote:
Dave Cridland [2013-11-06 06:39]:
Requiring HTTPS, particularly with reasonable cipher suites, might restrict
use of from certain jurisdictions.

Could we have more concrete examples, please?  Would these be because of
export restrictions?[1]  For instance, are there any jurisdictions from
where users have to disable the HTTPS by default option in Gmail?

 [1]: http://www.cryptolaw.org/

Examining this website for marginally less than a minute tells me that 
encryption is generally banned in Saudi Arabia.

But that's really besides the point. If we "fixed" RFC 2817 support, we could 
have opportunistic (better than nothing) crypto on *all* websites, rather 
than forcing every website to deploy HTTPS-only - pretty good win for privacy 
/ anti-pervasive-surveillance.

That is, making encryption optional, but available everywhere, is a bigger 
win than making it mandatory in a few places.

Dave.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

<Prev in Thread] Current Thread [Next in Thread>