W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Public Key Pinning (was Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure)

From: Jeffrey Walton <noloader@gmail.com>
Date: Sun, 28 Dec 2014 16:37:53 -0500
Message-ID: <CAH8yC8nSCj+1b9ntkza+KMySmQA8xDiOd23YAsHDrdtN9hjgaw@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, blink-dev <blink-dev@chromium.org>
On Sun, Dec 28, 2014 at 4:21 PM, Chris Palmer <palmer@google.com> wrote:
> On Sat, Dec 27, 2014 at 3:12 PM, Jeffrey Walton <noloader@gmail.com> wrote:
>> In this thread (https://www.ietf.org/mail-archive/web/websec/current/msg02261.html),
>> Chris Palmer suggested using shame as a security control.
> No, I did not. I hope that people followed the link and read the post.

Sorry to further this (but its important for me to understand). Here
was the statement:

    If the device manufacturer is also taking administrative
    control over devices in the field, then market pressure
    such as those articles) is the only recourse.

So are you stating market pressure and public humiliation is not shaming?

Or are you stating that shame is not a security control?

Or something else?

(I agree with "shame is not a security control", but I understand the
usefulness of shame and public humiliation. It seems other find shame
useful, too, like Certificate Transparency).
Received on Sunday, 28 December 2014 21:38:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC