HTTP:// URIs over TLS #315

Closed
mnot opened this Issue Nov 15, 2013 · 12 comments

Projects

None yet

6 participants

@mnot
Member
mnot commented Nov 15, 2013

One of the approaches considered for improving security is opportunistic encryption.

Two variants have been discussed; "relaxed" where server authentication is not checked, and "strict", where it is. In discussion, it appears that there's a preference for just using HTTPS URLs over "strict", but there is still some interest in "relaxed."

There appears to be some implementer interest in this approach, but not yet readiness to implement, so this issue is on hold.

Note that opp encryption might also be applied to HTTP/1.1.

@mnot
Member
mnot commented Nov 21, 2013
@paulehoffman

The description of this topic still only lists draft-nottingham-http2-encryption as an approach. Please add draft-hoffman-httpbis-minimal-unauth-enc, which does opportunistic encryption in a very different way than draft-nottingham-http2-encryption.

@mnot
Member
mnot commented Jan 24, 2014

Discussed in Zurich; further discussion in London; mark and patrick to revise draft and experiment. However, this will not block HTTP/2 unless delay is minimal.

@mnot
Member
mnot commented Jan 24, 2014

Notes from Zurich:

HTTP URIs over TLS

  1. no

Authentication

  1. unauthenticated
  2. authenticated == HTTPS
  3. not WebPKI-authenticated (TACK? DANE? ETC. ETC.) -- NOT US

Discovery

a. In-band Hint (header) - optional to use.

b. DNS -- not now.
I. SRV
II. TXT
III. SVCINFO
IV. HASTLS

c. use existing 443 connection for defaulted ports - some interest (esp. in addition to other mechanisms); needs refusal. SETTINGS indicator for support; refusal error code (?)

d. encryption inside HTTP/2 -- no

e. speculative connection -- we will say nothing about this

Add-ons

i. Refusal (you got the endpoint wrong)

ii. implicit shortcut

iii. pinning

@paulehoffman

It would be good if the community could acknowledge the differences between opportunistic (doing something good that wasn't asked for) and unauthenticated (a security state).

--Paul Hoffman

@mnot
Member
mnot commented Mar 5, 2014

Discussed in London; support for documenting this.

@mnot mnot added the editor-ready label Mar 5, 2014
@mnot mnot added this to the Fourth Implementation Draft milestone Mar 5, 2014
@mcilvena

@mnot What are the fundamental difference between opportunistic TLS and RFC 2817?

@bagder
bagder commented Mar 12, 2014

@mcilvena take it to the mailing list? RFC2817 is quite different than the current Alt-Svc proposal. See http://tools.ietf.org/html/draft-nottingham-httpbis-alt-svc-03

@mnot mnot removed this from the Fourth Implementation Draft milestone Mar 27, 2014
@mnot mnot added editor-ready and removed editor-ready labels Mar 27, 2014
@martinthomson
Member
@mnot
Member
mnot commented Jun 6, 2014

Discussed in NYC; agreed to adopt as WG Experimental. Martin to edit.

@mnot mnot closed this Jun 6, 2014
@mnot mnot added the writeup label Dec 4, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment