Re: Draft finding - "Transitioning the Web to HTTPS" from Melvin Carvalho on 2014-12-12 (www-tag@w3.org from December 2014)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 12 Dec 2014 19:45:42 +0100
To: Mark Watson <watsonm@netflix.com>
Cc: Domenic Denicola <d@domenic.me>, Marc Fawzi <marc.fawzi@gmail.com>, "Eric J. Bowman" <eric@bisonsystems.net>, Chris Palmer <palmer@google.com>, Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <CAKaEYhKW99VB7wc6v7HUh2-ZXqBB1m_kzag4cXhNrkfcA3owZA@mail.gmail.com>

On 10 December 2014 at 18:26, Mark Watson <watsonm@netflix.com> wrote:

>
>
> On Wed, Dec 10, 2014 at 9:18 AM, Domenic Denicola <d@domenic.me> wrote:
>>
>>
>> Nope, web crypto needs a secure transport to make any sense at all. It's
>> a bootstrapping problem. If you're on an insecure channel (whether HTTP or
>> employer-MITMed HTTPS), web crypto provides no guarantees at all.
>>
>
> This is a side issue that we should not rathole on, but the reason the
> WebCrypto Working Group declined to restrict WebCrypto to secure origins
> was that there are some *limited* things that can be obtained with
> WebCrypto even for HTTP sites. For example, confidentiality against passive
> monitoring. The counter-argument is that such things are of no utility, but
> that is a use-case-dependent judgement call, rather than a technical issue.
>

+1

<offtopic>

Web crypto has limited use.  I've come to the conclusion that localStorage
+ polyfill will meet needs.

</offtopic>


>
> ...Mark
>
>
>
>

Received on Friday, 12 December 2014 18:46:09 UTC