W3C home > Mailing lists > Public > public-webcrypto@w3.org > June 2012

The Adequacy of HTTPS as a Transport

From: Nadim Kobeissi <nadim@nadim.cc>
Date: Tue, 12 Jun 2012 15:49:46 -0400
Message-ID: <4FD79D5A.1050304@nadim.cc>
To: public-webcrypto@w3.org
Hi everyone,
I believe that since we're trying to implement crypto primitives that
web applications will call through served code, we should also address
whether HTTPS/SSL is a good enough transport on which we can rely for
those calls to be served securely.

There have been many high-profile cases over the past year (Comodo,
VeriSign, to name a few) that have cast the HTTPS certificate authority
system in an unfavorable light. Can we agree on whether HTTPS is
sufficient to be used jointly with our W3Crypto framework, or whether we
need to improve it before we can rely on it as our transport?

It is my opinion that the security of the transport transport is just as
valuable as that of our API, and that this merits a discussion at least.
It might be out of the scope of what we're hoping to accomplish here,
though, and that's understandable.

Thanks,
NK
Received on Tuesday, 12 June 2012 19:50:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 12 June 2012 19:50:23 GMT