[Cryptography] HTTP should be deprecated.

Guido Witmond guido at witmond.nl
Mon Nov 4 15:17:38 EST 2013


On 11/04/13 18:44, John Kelsey wrote:
> On Nov 4, 2013, at 10:50 AM, Greg <greg at kinostudios.com> wrote:
> 
>> Could someone please forward this message to the Elders of the
>> Internet™?
>> 
>> It's time to make encryption mandatory in all communication
>> protocols.
> 
> Amen!  [...]
> 
> The sticking point here is key management, which is a big potential
> administrative pain in the ass.    But it's worth wondering if we
> could at least get widespread use of Diffie-Hellman + GCM as a
> default.  There is no key management there, and no defense against
> MIM attacks, but at least everything doesn't go out in the clear.

Key management should be automated to the point that the *end user*
doesn't see it anymore.

<plug>I've got the ideas how to do it in a very backwards compatible way
on the current internet. It requires a user agent at the client and some
server side software to generate certificates.
See http://eccentric-authentication.org</plug>

Now If I got some funding to make it a Firefox plug-in, it would also be
easy to install.

Regards, Guido.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131104/addb639c/attachment.pgp>


More information about the cryptography mailing list