Re: Draft finding - "Transitioning the Web to HTTPS" from Ashok Malhotra on 2015-01-19 (www-tag@w3.org from January 2015)

From: Ashok Malhotra <ashok.malhotra@oracle.com>
Date: Mon, 19 Jan 2015 10:08:08 -0500
To: "henry.story@bblfish.net" <henry.story@bblfish.net>, Public TAG List <www-tag@w3.org>
CC: Anne van Kesteren <annevk@annevk.nl>, Henry Thomson <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Paul Libbrecht <paul@hoplahup.net>
Message-ID: <54BD1DD8.3060903@oracle.com>

Probably not worth worrying too much about IoT.
Most of the action is not on the Web and it will use
specialized protocols such as MMLP, not HTTP.
All the best, Ashok

On 1/19/2015 8:44 AM, henry.story@bblfish.net wrote:
> A few points that struck me reading this thread over the last month:
>
> 1. Internet of Things and caches
>
> The internet of things is probably going to pretty localised. We imagine sensors in houses, etc…
> If these sensors use anything to communicate then they would probably be using udp over
> tcp/ip. And whatever they do, they probably should not be communicating over the wider
> internet, but only within the space at which they are located. ( or else we get huge problems
> with privacy ). If that is so then we should imagine a setup where these communicate with
> something like a local server. The local server can then communicate over the web with remote
> server to exchange larger chunks of information that what any single device can communicate.
> So I don’t see the case for internet things and internet caches.
>
>
> 2. CAs and DNSsec
>
> The CA system by itself is broken, and it needs to be enhanced by a DNSSec based
> mechanism. Protocols for both CA and DNSSEC key registration by web servers should
> be developed. I can think of reasonably simple ways of doing that with the semantic web.
> It is not because something is difficult to use at present that it has to remain so. Unix
> used to be difficult to use, now it is running most cell phones.
>
> 3. Unneeded cryptography
>
> First I think TLS has a mode with 0 encryption. This should of course be visible in the UI.
> ( just verification that the content has not been changed en route)
> This may cover some of the issues brought up, such as those related to encrypting large
> video files.
>
> 4. Binary Caches
>
> These form the larges amount of data on the web of course, but tend to be things that
> don’t change very often. With 0 encryption TLS perhaps proxies could be changed
> to cache non encrypted content, with the original site publishing a hash of the original
> binary conent.
>
> One can also imagine URLs for a new protocol that refer to a representation rather
> than resources. These would be most useful for binary content. This would allow
> any web site to make copies of the content and republish it. This would of course
> only work for content that has very open Intellectual Property rights associated with it.
>
> 5. Client side certificates
>
> This whole debate has left out the single sign on mechanisms that come with TLS.
> Global client authentication is just as useful and important as to create a distributed
> social web that is privacy aware.
> A protocol to make use of TLS client authentication reducing the cost of it has been
> described by the WebID group. See the WebID-TLS spec here:
>
> http://www.w3.org/2005/Incubator/webid/spec/
>
> This could also be used as a basis to increase the web of trust server side as
> described in my presentation at the EU IDentity conference in Switzerland a few
> years ago
>
> http://www.w3.org/2005/Incubator/webid/spec/
>
> Just some thoughts,
>
> Henry Story
>
> Social Web Architect
> http://bblfish.net/
>

Received on Monday, 19 January 2015 15:09:31 UTC