- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Mon, 8 Jan 2007 23:13:51 -0600
- To: "W3 Work Group" <public-wsc-wg@w3.org>
- Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF627E6F@G3W0072.americas.hpqcorp.net>
There's more to the web than just big iron sitting in colo. I keep an
SSL server running at home. It has a self-signed certificate. My
ethernet router came with a built in HTTP server for making
configuration settings. I wish it had a self-signed certificate. I wish
my home phone answering machine had an HTTPS site to allow me to get my
messages over the web. I wish my home's furnace had an HTTPS site so I
could configure it while away. These are all practical things. They are
also security sensitive. I don't want the neighbourhood brats putting my
furnace to maximum after they soap my windows.
Today, I can safely authenticate these self-signed certificates using
the Petname Tool addon. My web browser is a little clueless (silly popup
dialog), acting like it is not secure when it's actually very secure.
The Petname Tool remembers the self-signed certificates for me and
nicely points out which one I am currently talking to. A smarter browser
would realize I had assigned a petname to that site, thus binding the
domain name to a public key and so not bark when the same public key was
used for the same domain name.
Self-signed certificates can be supported with excellent security. The
current browsers just haven't figured it out yet. Hopefully we can do
something about this before the world of appliances is permanently
banished from the secure web. Cost *matters* for appliances.
Tyler
________________________________
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Mary Ellen Zurko
Sent: Monday, January 08, 2007 5:30 AM
To: George Staikos <staikos
Cc: W3 Work Group
Subject: Re: Browser security warning
I agree that cost is not the biggest issue. Convenience/usability and
control/policy seem to be much more important.
Mez
Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect
George Staikos <staikos@kde.org>
Sent by: public-wsc-wg-request@w3.org
01/07/2007 03:54 PM
To
W3 Work Group <public-wsc-wg@w3.org>
cc
Subject
Re: Browser security warning
On 27-Dec-06, at 9:20 AM, Stephen Farrell wrote:
> Stuart E. Schechter wrote:
>
>> I don't think there is a large set of sites that can't afford a
>> CA cert
>> (category 2) and actually require the security offered by HTTPS.
>
> I don't know of any evidence for that, but would be interested if
> there
> were some. (Technically, I could also quibble a bit with your
> statement,
> since we're discussing server-authentication, so I guess you meant an
> SSL-server cert above and HTTPS can also be used with D-H, without
> providing server authentication, though that doesn't get much use.)
>
> (At least in the developed world,) the point is not the actual amount,
> but whether or not to increase the existing bias towards getting
> people to pay commercial CAs for certs or not. Commercial CAs have
> their purpose, but should not IMO be required in order to create a
> perception of security for HTTP traffic. Sometimes they are
> appropriate, sometimes they just add a burden that arguably could
> cause less use of SSL - if its too much hassle to turn it on.
I think we should aim to avoid talking about costs. Market
pressures will solve this problem, and FWIW, the cost of a
certificate is absolutely miniscule in the scope of the cost of
operating a site no matter which country that site is located in.
Home users and non-commercial users can just use their own issuing CA
or self-signed cert.
--
George Staikos
KDE Developer
http://www.kde.org/
Staikos Computing Services Inc.
http://www.staikos.net/
Received on Tuesday, 9 January 2007 05:14:03 UTC