W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Tue, 30 Dec 2014 18:26:46 -0700
To: Chris Palmer <palmer@google.com>
Cc: Marc Fawzi <marc.fawzi@gmail.com>, "henry.story@bblfish.net" <henry.story@bblfish.net>, Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <20141230182646.e984aa0fac3d3b9d69247b02@bisonsystems.net>
Chris Palmer wrote:
> TLS is the transport layer security protocol we have. It is widely
> supported and deployed.

So is HTTP-Digest. Whether content is encrypted or not, Authentication
headers seem a better solution to me than HTTPS-secured cookies. So
maybe Authentication headers (even for unauthenticated users) have some
use after all, where security and privacy are concerned. And maybe, if
we have *that* debate, we'll come up with an alternative that's no less
widely supported and deployed (at least potentially) than HTTPS.

> Any proposed competitor for TLS — are you proposing one? — is likely
> to be roughly as complex and is likely to take roughly as long to
> develop as TLS has.

Disagree on development time. A solution informed by, and enhancing,
what we've learned from HTTP and HTTPS, wouldn't necessarily take very
long to develop. Whether it's more or less complex than TLS seems like
a non-issue if it actually solves the problem.

Received on Wednesday, 31 December 2014 01:27:00 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:27 UTC