W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Privacy and its costs (was: Re: Mandatory encryption)

From: Reto Bachmann-Gmür <reto@gmuer.ch>
Date: Fri, 20 Jul 2012 16:20:48 -0700
Message-ID: <CALvhUEXvsN2k61=0zA5TbVLHA89SoBa43Vms1ZJxJ9ruSHqf=A@mail.gmail.com>
To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Cc: Tim Bray <tbray@textuality.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Jul 18, 2012 at 5:13 PM, "Martin J. Dürst"
<duerst@it.aoyama.ac.jp>wrote:

> Why don't you actually go to the trouble of moving Ongoing to TLS, with a
> chained (i.e. not self-signed) certificate, and tell us how many working
> hours/days and how much money it took you to set it up. This may make for
> an interesting learning experience, and an interesting blog entry.
>

Popping in here because I indeed remember the pain getting this CA-signed
certificate for my personal site. I did it because I felt publishing a
webid on an unsecured server is quite pointless (well it offers around the
same security as verify an identity by checking the email address).

By contrast I remember no pain migrating from telnet to ssh. So my hope was
that if encryption becomes standard on the web using it (both as client and
as server) becomes much easier. I doubt that the current CA/PKI approach is
a reasonable default behaviour. Trust on first use (TOFU) enhanced with
either social public key exchange or using notary server (as in
perspectives[1]) might offer a better balance of security and simplicity of
use.

Cheers,
Reto

PS: But yes, an answer to question "why is you blog http and not https?"
could be "because cool uris don't change and when security becomes standard
that S is obsolete".


1.
http://static.usenix.org/event/usenix08/tech/full_papers/wendlandt/wendlandt_html/
Received on Friday, 20 July 2012 23:21:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 July 2012 23:21:26 GMT