Re: Draft finding - "Transitioning the Web to HTTPS" from Noah Mendelsohn on 2014-12-09 (www-tag@w3.org from December 2014)

From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: Mon, 08 Dec 2014 19:57:47 -0500
To: Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <5486490B.9020502@arcanedomain.com>

I'm really delighted to see you undertaking this: a very important topic 
and just the sort of thing the TAG should be doing IMO. I didn't see an 
indication of where comments should go, so I'll make two here:

I. Caching and proxies

I would love to see a really balanced analysis of whatever you discover to 
be the key tradeoffs involving caching. E.g. where exactly will caching 
capability likely be lost and in which such places will the loss be 
painful? Will the continued need for caching lead to changes in deployment 
of keys, certs and endpoints, if those are the right terms. In other words, 
when will the need for caching resulting in a cache node acting as a 
decrypting "man in the middle", when it might not otherwise. How about 
things like deep packet inspection (which seems to have seem clearly 
laudable uses, e.g. for routing incoming traffic and some more 
controversial uses.)

So many HTTP features and so much of the Web's early deployment focused on 
making proxies and caching effective. No doubt that's become somewhat less 
important as links have gotten cheaper and faster, but it would be great to 
see a balanced exploration of the tradeoffs as they stand. If the result of 
that analysis is that HTTPs is mostly practical and desirable, then all the 
better.

II. Privacy

I also have the vague impression that there is a loss of privacy that 
indirectly results from the reduced practicality of proxies, but I'm not 
sure that intuition is correct. If there are privacy issues with the HTTPs 
transition, that would be worth exploring too.

Thank you. Good luck with this!

Noah

On 12/8/2014 6:28 PM, Mark Nottingham wrote:
> We've started work on a new Finding, to a) serve as a Web version of the IAB statement, and b) support the work on Secure Origins in WebAppSec.
>
> See: <https://w3ctag.github.io/web-https/>
>
> Repo w/ issues list at <https://github.com/w3ctag/web-https>.
>
> Cheers,
>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
>

Received on Tuesday, 9 December 2014 00:58:12 UTC