RE: Draft finding - "Transitioning the Web to HTTPS"

I really don't want to spend too much time delving into debunking of do-it-yourself crypto schemes, but to just give you an idea: how does the browser get the server's public key over an untrusted channel?

I'd encourage you to take such questions to another venue like StackOverflow.

-----Original Message-----
From: Marc Fawzi [mailto:marc.fawzi@gmail.com] 
Sent: Friday, December 12, 2014 22:48
To: Anne van Kesteren
Cc: Paul Libbrecht; Melvin Carvalho; Tim Bray; Chris Palmer; Bjoern Hoehrmann; Mark Nottingham; Noah Mendelsohn; www-tag@w3.org List
Subject: Re: Draft finding - "Transitioning the Web to HTTPS"

Not an argument against https-everything but would anyone say that the web could have been taken into another more interesting direction with "built in" Web Crypto-based request encryption (built in means not downloaded as a script but built into the browser) and web servers that encrypt the response using the user's public key. Why would we need a centralized certificate authority? Why do we assign the authority to a 3rd party? If my browser can detect the sever's capability, gets it's public key and automatically encrypts every request I send to it then what would be the reason for having a certificate authority? 

Sent from my iPhone

> On Dec 12, 2014, at 1:59 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> 
>> On Fri, Dec 12, 2014 at 9:55 PM, Paul Libbrecht <paul@hoplahup.net> wrote:
>> But not UI has appeared doing that.
> 
> I'm hopeful for https://letsencrypt.org/ to make this easy over time 
> (and eventually simply the default with shared hosting setups). Until 
> then dealing with the UI mess that is StartSSL or paying a bit for 
> SSLMate is the way to go.
> 
> 
> --
> https://annevankesteren.nl/

Received on Saturday, 13 December 2014 04:19:32 UTC