Re: [W3C TCP and UDP Socket API]: Status and home for this specification from Florian Bösch on 2015-04-02 (public-sysapps@w3.org from April 2015)

From: Florian Bösch <pyalot@gmail.com>
Date: Thu, 2 Apr 2015 15:00:35 +0200
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "Nilsson, Claes1" <Claes1.Nilsson@sonymobile.com>, "public-sysapps@w3.org" <public-sysapps@w3.org>, public-webapps <public-webapps@w3.org>, Device APIs Working Group <public-device-apis@w3.org>, Domenic Denicola <domenic@domenicdenicola.com>, "slightlyoff@chromium.org" <slightlyoff@chromium.org>, Jeffrey Yasskin <jyasskin@google.com>, "mkwst@google.com" <mkwst@google.com>
Message-ID: <CAOK8ODh0t3iyxJ9YkSRY3VQc6yKOj7TtUhD-vGjVxfA48t52gQ@mail.gmail.com>

On Thu, Apr 2, 2015 at 2:40 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:
>
> Obviously we need a model where the code is "vetted" for
> DoingTheRightThing(tm).
>

This is essentially about two things: trust and the capability to "vet".
Both of these things cannot be solved conclusively, or without severe
drawbacks as I'll show.

The prevailing model of trust for vetting apps is app-stores. There the
trust is hierarchical "I trust Apple, therefore I trust what they put in
the app-store".  A slightly more elaborate hierarchical trust scheme is
SSL, but it's really the same thing. This model has several problems:

   - If Apple gets pwned, everybody who trusted apple is screwed. This
   might be judged as a six-sigma event in the case of apple, but in the case
   of SSL certificate authority it's a frequent occurence.
   - The one on top of the (shallow or deep) hierarchy of trust gets to
   extract rent from everybody else. Apple takes a $99/year + 30% with some
   conditions. Certificate authorities charge anything between $10 and several
   thousands for their services.
   - Responsibility of vetting flows to the top, where it creates a vetting
   bottleneck. It's for this reason that it can take you weeks, or months if
   you're unlucky, to get your app in the app store. It's quite perplexing to
   be technically able to push updates a dozen times a day, yet you can't
   because every update is gonna cost you money and two weeks (tm) till it
   hits your audience.

The only alternative of a hierarchical trust system is a graph of trust
relationships which is used to aggregate trust between two nodes in it.
This is in principle a fine system, however, it too has a severe flaw. It
cannot account for "good" nodes that successfully pretend to be good, and
then one day turn bad. The revocation of trust in such a graph takes
considerable time since it depends on all connected nodes to adjust their
trust relationship. By the time that has happened, considerable damage may
incur.

It's for these reasons that trust/vetting based solutions cannot be used in
a heterogenous M:N market that the web finds itself in. It creates hard to
quantify risks, inconveniences everyone and puts up barriers to entry.

Received on Thursday, 2 April 2015 13:01:04 UTC