W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: something I don't get about the current plan...

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 18 Nov 2013 00:18:39 +0100
To: Mike Belshe <mike@belshe.com>
Cc: httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <00hi891jobjjuca4kb53kl36tv3sf674s7@hive.bjoern.hoehrmann.de>
* Mike Belshe wrote:
>And I'm pointing out that Apple does exactly this for a very large
>population of developers.   I believe wholeheartedly that if 1M app
>developers can figure out how to get and maintain a cert, so can 1M website
>creators.  You have to admit that the top-1M websites and the top-1M apps
>have a very high overlap too. :-)

Is it necessary to install these Apple developer certificates online on
a shared hosting system? Do these certificates get revoked when a local
user privilege escalation vulnerability is discovered in the operating
system used? What happens when malware is discovered that is designed to
exfiltrate these certificates from developer machines or servers?

Not being able to make apps for computer systems with below 10% market
share is not a great loss, but once web browsers no longer connect to
insecure sites for security reasons, where would dissident groups get
their certificates from? Where would I get one from if I want to inter-
cept what Example Browser is sending to example.com?
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Sunday, 17 November 2013 23:19:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC