Brad Hill <hillbrad@gmail.com>, 2014-10-20 10:00 -0700: ... > The idea I was tossing around would be to have some different kind of > secure introduction ceremony to replace the untrusted certificate > dialog *for hosts on the local network only*. Perhaps something like > Bluetooth / WPS pairing, where the user could get a page that tells > them this is a locally connected device and they have to enter a > pairing code to trust it, with other-than-standard HTTPS UX treatment > following, but less strict rules about mixed content blocking, etc. > than an untrusted or HTTP connection would receive. > > There are a number of moving parts involved to get this right: > - definitely UI, which the W3C doesn't have a great history in, but > perhaps which we can describe the requirements for without > prescriptively specifying If you/the group decide to document those kinds of requirements, anybody involved would probably benefit from taking a look at the related previous attempt in http://www.w3.org/TR/wsc-ui/ --Mike > - thinking about what constitutes a "locally attached network > device", how to detect and verify that, and how to manage subsequent > accesses over a WAN > - some Fetch rules similar to Mixed Content > - perhaps a certificate extension to identify these devices -- Michael[tm] Smith http://people.w3.org/mike
Received on Tuesday, 21 October 2014 08:18:41 UTC