W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Reasonable proposal for migrating to 2.0

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Sun, 17 Nov 2013 21:57:22 +0000
To: Willy Tarreau <w@1wt.eu>
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <58332.1384725442@critter.freebsd.dk>
In message <20131117204928.GA18577@1wt.eu>, Willy Tarreau writes:

>1) browser: make the root and/or cert issuer on HTTPS sites for the main
>   page visible all the time, just like the page's title is currently
>   visible (add it next to the title or at the bottom ?)

That could work for open-source browsers.  For closed source browsers
of US origin, there's no telling what they can or will tell the user
or what relationship that might have with the truth.

>2) protocol: add a new "httpe://" scheme

Anything which tries to add another scheme is going to be serious
uphill work, so it had better be for a reason which amounts to
more than some cryptographic mumbo-jumbo 99.9% of webmasters
are not entirely sure what means.

I don't think your idea clears that hurdle.

I think it is a better idea to just stick with "https:" and leave
it to the server side to negotiate as much security as they want,
and hope that user-agents faithfully indicates this to the user.

>3) browser: get rid of the ability to bypass the cert error for HTTPS
>   (except maybe for developers using a config option). 

See above.

At least 50% of the pervassive surveillance problem is software we
cannot trust on the client side.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Sunday, 17 November 2013 21:57:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC