I like where this has ended up. I am pretty convinced that HTTPS is mostly a
dead end because of the CA problem. However, getting RFC 2817 really, really
out there would be a huge advance. Like a lot of security stuff, people need a
compelling reason to deploy *or* they will use it if it is “just there.” Let us
make it “just be there."
On Nov 8, 2013, at 2:40 AM, Dave Cridland <dave(_at_)cridland(_dot_)net> wrote:
On Thu, Nov 7, 2013 at 11:28 PM, Pranesh Prakash
<pranesh(_at_)cis-india(_dot_)org> wrote:
Dave Cridland [2013-11-06 06:39]:
Requiring HTTPS, particularly with reasonable cipher suites, might restrict
use of from certain jurisdictions.
Could we have more concrete examples, please? Would these be because of
export restrictions?[1] For instance, are there any jurisdictions from
where users have to disable the HTTPS by default option in Gmail?
[1]: http://www.cryptolaw.org/
Examining this website for marginally less than a minute tells me that
encryption is generally banned in Saudi Arabia.
But that's really besides the point. If we "fixed" RFC 2817 support, we could
have opportunistic (better than nothing) crypto on *all* websites, rather
than forcing every website to deploy HTTPS-only - pretty good win for privacy
/ anti-pervasive-surveillance.
That is, making encryption optional, but available everywhere, is a bigger
win than making it mandatory in a few places.
Dave.
signature.asc
Description: Message signed with OpenPGP using GPGMail