W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Public Key Pinning (was Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure)

From: Ryan Sleevi <sleevi@google.com>
Date: Sun, 28 Dec 2014 13:46:57 -0800
Message-ID: <CACvaWvbhF0Txbd2FunfLs6bzO2w8nrt-ZLjF82BpptoFSU=Faw@mail.gmail.com>
To: Jeffrey Walton <noloader@gmail.com>
Cc: security-dev <security-dev@chromium.org>, Chris Palmer <palmer@google.com>
non-security-dev to BCC.

Response inline
On Dec 28, 2014 1:37 PM, "Jeffrey Walton" <noloader@gmail.com> wrote:
>
> On Sun, Dec 28, 2014 at 4:21 PM, Chris Palmer <palmer@google.com> wrote:
> > On Sat, Dec 27, 2014 at 3:12 PM, Jeffrey Walton <noloader@gmail.com>
wrote:
> >
> >> In this thread (
https://www.ietf.org/mail-archive/web/websec/current/msg02261.html),
> >> Chris Palmer suggested using shame as a security control.
> >
> > No, I did not. I hope that people followed the link and read the post.
>
> Sorry to further this (but its important for me to understand). Here
> was the statement:
>
>     If the device manufacturer is also taking administrative
>     control over devices in the field, then market pressure
>     such as those articles) is the only recourse.
>
> So are you stating market pressure and public humiliation is not shaming?

Chris did not say public humiliation. That is a subjective interpretation,
but is not what was stated.

>
> Or are you stating that shame is not a security control?
>
> Or something else?
>
> (I agree with "shame is not a security control", but I understand the
> usefulness of shame and public humiliation. It seems other find shame
> useful, too, like Certificate Transparency).

Certificate Transparency is not a shame mechanism. It is a compliment and
technical control to what in theory occurs in an audit, but not in practice.
Received on Sunday, 28 December 2014 21:47:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC