I like where this has ended up. I am pretty convinced that HTTPS is mostly a dead end because of the CA problem. However, getting RFC 2817 really, really out there would be a huge advance. Like a lot of security stuff, people need a compelling reason to deploy *or* they will use it if it is “just there.” Let us make it “just be there." On Nov 8, 2013, at 2:40 AM, Dave Cridland <dave@xxxxxxxxxxxx> wrote: > On Thu, Nov 7, 2013 at 11:28 PM, Pranesh Prakash <pranesh@xxxxxxxxxxxxx> wrote: > Dave Cridland [2013-11-06 06:39]: > > Requiring HTTPS, particularly with reasonable cipher suites, might restrict > > use of from certain jurisdictions. > > Could we have more concrete examples, please? Would these be because of > export restrictions?[1] For instance, are there any jurisdictions from > where users have to disable the HTTPS by default option in Gmail? > > [1]: http://www.cryptolaw.org/ > > Examining this website for marginally less than a minute tells me that encryption is generally banned in Saudi Arabia. > > But that's really besides the point. If we "fixed" RFC 2817 support, we could have opportunistic (better than nothing) crypto on *all* websites, rather than forcing every website to deploy HTTPS-only - pretty good win for privacy / anti-pervasive-surveillance. > > That is, making encryption optional, but available everywhere, is a bigger win than making it mandatory in a few places. > > Dave.
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail