Re: Draft finding - "Transitioning the Web to HTTPS" from timeless on 2015-06-14 (www-tag@w3.org from June 2015)

From: timeless <timeless@gmail.com>
Date: Sun, 14 Jun 2015 14:03:40 -0400
To: Philip Jägenstedt <philipj@opera.com>
Cc: Chaals from Yandex <chaals@yandex-team.ru>, Anne van Kesteren <annevk@annevk.nl>, Paul Libbrecht <paul@hoplahup.net>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-ID: <CACsW8eH=qNyhQWWtZY+3g4npgRWOGzQc5zPj3y90Xu8CACcNUg@mail.gmail.com>

For the record (since I'm reading this months after the thread and
have time to review links)

Philip Jägenstedt wrote:
> Do you find it inappropriate that the Yandex Browser is currently
> unable to connect to https://crypto.cat/ and https://tv.eurosport.com/
> (demo site) with no apparent option for ignoring the problem?

I don't, apparently they "committed pinning-suicide" [1]:
>> Clients deciding that “pinning is good” have caused headaches at Google.
>> It's also worth noting that CryptoCat has committed pinning-suicide in
>> Chrome at at the moment due to their CA having switched intermediates
>> between renewals. They're waiting for the release of Chrome 41 to recover.

An entity using a feature and messing up deserves what it gets.

> If not, you're already OK with browser vendors making such decisions,

Nope, CryptoCat made the decision on its own, you have to *ask* for
this pinning, and they clearly asked Google for it.

> and merely disagree about the cases in which it should be possible to
> ignore the certificate error.

Again, CryptoCat asked for pinning. Pinning means "Dear Browser, do
not trust *any* certificate from *any* CA other than this one {}, I
entity promise that I will not deploy a certificate for my server from
any CA that isn't this one {}, and any time you encounter a
certificate for a server portending to be mine but issued from some
other CA, you can be assured that it is an impersonation attempt."

Google Chrome, and Yandex are honoring the declaration that CryptoCat made.

[1] https://www.imperialviolet.org/2015/01/17/notdane.html

Received on Sunday, 14 June 2015 18:04:09 UTC