New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
require tls auth #234
Comments
Not convinced, in particular because it's a rather drastic change at this point. If authentication is OK, isn't it much easier just to redirect the client to the HTTPS port? Wouldn't we remove the main reason why this was specced in the first place? |
I'm not sure what you mean by https port - which is indeed what this will The main reason for this spec would be for improving the use of http as for drastic at this point -there is no point in moving the document On Thu, Sep 8, 2016 at 1:53 AM, Julian Reschke notifications@github.com
|
Question: is the intent to retain the requirement that the alternative service be on the same host? |
@mnot [Question: is the intent to retain the requirement that the alternative service be on the same host?] no such requirement now that we have auth and .wk |
Resolved in the latest. |
1] opportunistic security should require TLS authentication. Any other approach undermines the opt-in mechanism of .wk. As the PKI market has matured to allow truly free and automated certs certificate availability is no longer the chief barrier to https, and so opportunistic security should feel comfortable requiring real authentication. (THERE IS NO PROPOSED CHANGE IN THE SECURITY MODEL - HTTP:// IS STILL HTTP:// AND NOT GRANTED HTTPS:// STATUS AT ALL). The biggest barrier to https:// at this point seems to be mixed content.
The text was updated successfully, but these errors were encountered: