W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

RE: Draft finding - "Transitioning the Web to HTTPS"

From: Domenic Denicola <d@domenic.me>
Date: Sat, 13 Dec 2014 04:18:59 +0000
To: Marc Fawzi <marc.fawzi@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
CC: Paul Libbrecht <paul@hoplahup.net>, Melvin Carvalho <melvincarvalho@gmail.com>, Tim Bray <tbray@textuality.com>, Chris Palmer <palmer@google.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <CY1PR0501MB13697098A4017A96496FF198DF610@CY1PR0501MB1369.namprd05.prod.outlook.com>
I really don't want to spend too much time delving into debunking of do-it-yourself crypto schemes, but to just give you an idea: how does the browser get the server's public key over an untrusted channel?

I'd encourage you to take such questions to another venue like StackOverflow.

-----Original Message-----
From: Marc Fawzi [mailto:marc.fawzi@gmail.com] 
Sent: Friday, December 12, 2014 22:48
To: Anne van Kesteren
Cc: Paul Libbrecht; Melvin Carvalho; Tim Bray; Chris Palmer; Bjoern Hoehrmann; Mark Nottingham; Noah Mendelsohn; www-tag@w3.org List
Subject: Re: Draft finding - "Transitioning the Web to HTTPS"

Not an argument against https-everything but would anyone say that the web could have been taken into another more interesting direction with "built in" Web Crypto-based request encryption (built in means not downloaded as a script but built into the browser) and web servers that encrypt the response using the user's public key. Why would we need a centralized certificate authority? Why do we assign the authority to a 3rd party? If my browser can detect the sever's capability, gets it's public key and automatically encrypts every request I send to it then what would be the reason for having a certificate authority? 

Sent from my iPhone

> On Dec 12, 2014, at 1:59 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> 
>> On Fri, Dec 12, 2014 at 9:55 PM, Paul Libbrecht <paul@hoplahup.net> wrote:
>> But not UI has appeared doing that.
> 
> I'm hopeful for https://letsencrypt.org/ to make this easy over time 
> (and eventually simply the default with shared hosting setups). Until 
> then dealing with the UI mess that is StartSSL or paying a bit for 
> SSLMate is the way to go.
> 
> 
> --
> https://annevankesteren.nl/
Received on Saturday, 13 December 2014 04:19:32 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC