Re: Mandatory encryption from Eliot Lear on 2012-07-18 (ietf-http-wg@w3.org from July to September 2012)

From: Eliot Lear <lear@cisco.com>
Date: Wed, 18 Jul 2012 15:56:26 +0200
To: Mike Belshe <mike@belshe.com>
CC: Willy Tarreau <w@1wt.eu>, Phillip Hallam-Baker <hallam@gmail.com>, Paul Hoffman <paul.hoffman@gmail.com>, grahame@healthintersections.com.au, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <5006C08A.6000608@cisco.com>

Mike,

On 7/18/12 8:54 AM, Mike Belshe wrote:
> Show me the user that will stand up and say, "Yes, I would like my
> communications to be snoopable and changeable by 3rd parties without
> my knowledge."

This is a red herring.  The real argument is around the ability of all
web servers to get certificates that the browser will  / should trust,
or using a means of trust that doesn't require certificate chains. The
server administrator must not be put in a position of having to pay an
annual fee to avoid the client warning, because that introduces at least
a potential externality in that the server administrator may not value
avoiding the warning in the way that you would expect.  Certainly the
end user doesn't act appropriately against the warning, which is why
we're having this discussion[1,2][*]. 

Eliot

[1] Herley, C., “So Long, And No Thanks for the Externalities: The
Rational Rejection of Security Advice by Users”, /NSPW’09/, September
8–11, 2009.
[2] Edelman, S., et al, “You've been warned: an empirical study of the
effectiveness of web browser phishing warnings”,/Proceedings of the
twenty-sixth annual SIGCHI conference on Human factors in computing
systems/ , 2008.
[*] There are probably dozens of citations in this space.

Received on Wednesday, 18 July 2012 13:57:00 UTC