W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: something I don't get about the current plan...

From: Mike Belshe <mike@belshe.com>
Date: Sun, 17 Nov 2013 15:02:29 -0800
Message-ID: <CABaLYCumbcLSMfQr8skfr2WzZaRmT19BvbirYKMnZRG=PXqKLA@mail.gmail.com>
To: Bruce Perens <bruce@perens.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
On Sun, Nov 17, 2013 at 2:46 PM, Bruce Perens <bruce@perens.com> wrote:

>  On 11/17/2013 02:25 PM, Mike Belshe wrote:
>
>
>
>  But you took this in a different direction from Stephen's original
> question.  He asked whether it was realistic to expect websties to all go
> get certificates.
>
>  And I'm pointing out that Apple does exactly this for a very large
> population of developers.   I believe wholeheartedly that if 1M app
> developers can figure out how to get and maintain a cert, so can 1M website
> creators.  You have to admit that the top-1M websites and the top-1M apps
> have a very high overlap too. :-)
>
>   We expect applications to have a provable chain of custody because they
> exercise control functions on our devices.
>

The top-million websites are applications too.  Increasingly we expect more
and more of these websites, and we would like them to work better on small
devices as well.  We would like to be able to tweet a photo from a web app
on our phones.  We would like to be able scan a QR Code from a web page on
our phone.

I see no reason why you would want unauthenticated web apps any more than
you'd want unauthenticated native apps.

But we're traveling off topic from Stephen's question again...


>
> We very carefully sandbox programs that are run at the behest of web pages
> so that they don't exercise control functions on our devices.
>
> So, the reason for the expectation is very different. And thus no, it is
> not realistic to expect the top 1 Million web sites to all be signed.
>
> Anyway, Apple's rules aren't a public mandate. I visited the president of
> Italy once, and he called it "corporate totalitarianism".
>



The point is that cert deployment for the masses is very realistically
doable.   And in fact, it has been done before.  So I don't believe these
arguments that claim that website operators won't be able to do it.

Mike




>
>     Thanks
>
>     Bruce
>
Received on Sunday, 17 November 2013 23:02:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC