Re: Proposal: Prefer secure origins for powerful new web platform features from John Kemp on 2014-08-22 (public-webappsec@w3.org from August 2014)

From: John Kemp <john@jkemp.net>
Date: Fri, 22 Aug 2014 17:06:27 -0400
To: Chris Palmer <palmer@google.com>
CC: Jeffrey Yasskin <jyasskin@google.com>, Adam Langley <agl@google.com>, Eduardo' Vela <evn@google.com>, Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <53F7B0D3.9080306@jkemp.net>

HI Chris,

On 08/22/2014 04:31 PM, Chris Palmer wrote:
> On Fri, Aug 22, 2014 at 12:44 PM, John Kemp <john@jkemp.net> wrote:
>
>> What can a browser tell you
>> about an essentially unknown web server?
>
> It can tell you whether or not the server's cryptographic identity was
> vouched-for in public by a known trusted third party. (Certificate
> Transparency.) It can tell you whether or not the identity is
> computationally infeasible to forge. (Run-time checks on the
> negotiated cryptographic parameters and the key material.) It can tell
> you whether or not the identity is in a small set of
> previously-known-good key <-> DNS name mappings. (Key pinning,
> including pre-loaded key pinning.) It can tell you whether or not the
> server refers to resources and code that are also authenticated.
> (Mixed-mode content checking.)
>
> If that's not good enough for you, well, I'm sorry. It's the state of
> the art in 2014. If you have some ideas to advance the state of the
> art, we'd all love to hear them.
>
> If your point is that the state of the art will never be good enough
> to satisfy you, then I'll stop responding. I'm not interested in
> security nihilism.

Heh :)

But seriously, characterizing the argument this way minimizes both your 
achievements, and my argument.

The technology has certainly improved. And the problem is a hard one. 
But I am not a "security nihilist", and my argument shouldn't be seen 
that way.

I simply think access to web platform features should not be limited to 
those servers who have paid some (pretty small) amount of money to 
someone else the user doesn't actually know to vouch for them that they 
should have the user's trust in these matters using a technology (with 
all due respect to your work, and others) that _outside of additional 
non-technical context_ does not provide enough of a guarantee of secure 
mutual authentication.

Reasonable people can still disagree with you without being nihilists.

Regards,

- johnk

Received on Friday, 22 August 2014 21:07:03 UTC