- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Wed, 10 Dec 2014 07:14:44 -0500
- To: Tim Bray <tbray@textuality.com>
- CC: Mark Nottingham <mnot@mnot.net>, "www-tag@w3.org List" <www-tag@w3.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Another argument might focus around timing in the technology life-cycle: It may well have been easier to develop early Internet and Web protocols without consideration of security -- cleartext is less complex and easier to debug. Now, however, the Internet and Web have both developed sufficiently to stabilize core aspects and become important enough that the harmful consequences of insecurity and lack of privacy protection outweigh the benefits of simplicity. We've also gotten better at security, and have standards that can make it easier to deploy secure infrastructure, so pushing for universal security can add to the economies of scale that bring its costs down further. I believe we've passed the inflection point after which any new deployment should be secure by default, and that preserving the right and ability to tinker and continue innovating is fully consistent with that. - --Wendy On 12/10/2014 12:17 AM, Tim Bray wrote: > The arguments about the desirability of ubiquitous encryption have > been going on a long time, but unfortunately tend to circularity > because few *new* arguments are introduced in any given year. I > have written a draft which assembles the most-commonly-heard > arguments against the universal deployment of privacy technology, > and provides counter-arguments. I suspect much of it is material > to this discussion, and it’s not very long: > https://www.tbray.org/tmp/draft-bray-privacy-choices-00.html : > “Privacy Choices for Internet Data Services” > > On Tue, Dec 9, 2014 at 7:36 PM, Marc Fawzi <marc.fawzi@gmail.com> > wrote: > >> I think this list is public for a reason, right? So concerned >> citizens of the web can voice their opinion? Or maybe another >> reason? >> >> Anyway, as far as opinions go I think that APIs that only work on >> HTTPS but could in reality work on HTTP means that if some app >> wanted to use such API then it must purchase an SSL certificate >> (I think they still cost a lot of money) and incur extra cost in >> the cloud or data center. >> >> >> >> Sent from my iPhone >> >>> On Dec 9, 2014, at 1:23 PM, Bjoern Hoehrmann >>> <derhoermi@gmx.net> wrote: >>> >>> * Mark Nottingham wrote: >>>> When I talk to browser folks about this, they say that you >>>> can still install a CA to observe traffic, or look at the >>>> console / dev tools, etc. I think that's a reasonable answer, >>>> but one that needs better tools available to foster this kind >>>> of research. >>> >>> It is actually quite common that you cannot install >>> certificates and do not have debugging tools available, or >>> would not be able to rely on them because their use is >>> detectable. Considering that heteronomous computing is being >>> made a fundamental part of the Web, it seems very unlikely >>> that the TAG would agree that users have a right to know what >>> their computers do and what data they send and receive. -- >>> Björn Höhrmann · mailto:bjoern@hoehrmann.de · >>> http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: >>> 0xA4357E78 · http://www.bjoernsworld.de Available for hire in >>> Berlin (early 2015) · http://www.websitedev.de/ >>> >> >> > > - -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) http://wendy.seltzer.org/ +1.617.863.0613 (mobile) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUiDkuAAoJENTy3wcgk0el1YkP/3SJNuW+KUqtAdvGV2W+nFpd QcL2CW2cx2yc2LoX31hN7Akmo4nCin4Hwsk8uYKxGVDtwPMo4nifaDg9UrRhJ0Ct CBJzbf4r0fMtpEpEWcjCCCuZEh0OO4k5VCiM6JpFT+n7PKdaJtt+hbuXnRzPebCp IAMp5CbnYP1bd4d6ArgO00eiJcty25yiIYCGHJd11vu1eaOUdBSfeoRQZ1HIQHTA 1ZsBA5V8ixPSu2wqtL7s3GXGTx6LFjjsLRqUW6Elmfn8nkw+JoV/da//sHvL4NZJ y7O5LRx+ZF+dCICJ2djSQjvDA5EQQwbIlL2fes63hr+K2yYDVCFCPuHcKkISZl6C zs2fUepEXJPTQvjQ7MmJekVs/mm9w10gCIuo2+cdi9GCsIjhMb5oMhVGm0IQ0C+w 5r87S4+Dzz3jRgSzn+17XC3OuzDCJy5eUJNDU6ZUuSaGGoI7bYlCZpQ3T1Uwm6bf CEnkIR0DZ74x3zCQKRZzxameg5+5XjExA8HdDGNdfIB5Nmlvyaj/+ZgVNAoMem0f FdAyeDWyV5aPCVEJaPdFPmZl6u7bw50pPlL8Llof1pD8VvOE86sVut/qShnHEPql 8lnG56uOEW6KfM3zm3VAbFYXVu8lU/PKiVmXJ236fjkHV0UXRJU8UoKAuseygHsO pNwAxScKjHznAmvbOZBv =Ndg+ -----END PGP SIGNATURE-----
Received on Wednesday, 10 December 2014 12:14:54 UTC