Re: Draft finding - "Transitioning the Web to HTTPS"

Noah Mendelsohn wrote:
> 
> Mark Nottingham wrote:
>
> > While I agree with you in spirit — we should be building a Web for
> > the long term, and we should allow unintended reuse — this seems
> > like an argument that “we shouldn’t do X because it might reduce
> > utility in undefined, far-future circumstances,” and that’s a VERY
> > high bar to get past. It’s also one that AFAICT we haven’t applied
> > to any other decision made at the W3C.
> 
> I buy your concern up to a point, but I think the case can be made
> that caching has shown its utility often and in many distributed
> systems, including until fairly recently (some argue still) on the
> Web.
> 

More broadly, I'd say that intermediary participation in network
communications has shown its utility. Not just caches, but malware/
virus/spam gateways which recognize both :25 and webmail, for example.
None of which are necessarily caches; just the sort of baby that gets
thrown out with the bathwater, when intermediary participation gets
redefined as simply a concern over "YAGNI" caching to justify its
demise.

> 
> Whichever path we choose is a gamble. Maybe a balanced analysis would
> indeed suggest the emerging emphasis on https, but I confess that at
> times the discussion has seemed a bit weighted toward presuming that
> it is.
> 

My problem entirely, to the point I find it worth re-iterating that I'm
not against privacy, merely the assumption that TLS is the only
solution to that problem. My argument has been mis-characterized as pro
HTTP-digest, but I really only bring that up as a starting point -- a
better HTTP-auth scheme, including end-to-end integrity checking, seems
a viable alternative to the status quo. And one which must be falsified,
before continuing to endorse said status quo.

-Eric

Received on Tuesday, 27 January 2015 03:12:10 UTC