W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Sat, 13 Dec 2014 08:02:35 -0800
Message-Id: <B87B3787-2C52-475B-A046-AC7F070C3204@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Paul Libbrecht <paul@hoplahup.net>, Melvin Carvalho <melvincarvalho@gmail.com>, Tim Bray <tbray@textuality.com>, Chris Palmer <palmer@google.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
To: Domenic Denicola <d@domenic.me>
Will do , but if the server's public key is swapped by an attacker the server won't be able to decrypt the request that was encrypted with the attacker's key, so that would be a way to detect an attack. 

Just trying to get to the essence if why Web Crypto exists and if there us any scenario under which it can make CA's redundant. After all, CA scheme is not without problems. Even if everything about issuing and renewing certificates is automated it's still an old world paradigm where some central authority is in charge of issuing users the right to a very basic activity (communicating between A and B) it's like the Department of Motor Vehicles. At the very least, it's about record keeping. At the very worst CA's will be able to revoke certificates or be compromised by powerful parties.

With all the brains and deep practical expertise at TAG and IETF couldn't the web get a completely decentralized security model? Has the TAG proven the theoretical impossibility of having a purely p2p security model that does not involve CAs? 

this ultimate question is useless to ask anywhere except here. So I hope it justifies all the other related questions ... 

Sent from my iPhone

> On Dec 12, 2014, at 8:18 PM, Domenic Denicola <d@domenic.me> wrote:
> I really don't want to spend too much time delving into debunking of do-it-yourself crypto schemes, but to just give you an idea: how does the browser get the server's public key over an untrusted channel?
> I'd encourage you to take such questions to another venue like StackOverflow.
> -----Original Message-----
> From: Marc Fawzi [mailto:marc.fawzi@gmail.com] 
> Sent: Friday, December 12, 2014 22:48
> To: Anne van Kesteren
> Cc: Paul Libbrecht; Melvin Carvalho; Tim Bray; Chris Palmer; Bjoern Hoehrmann; Mark Nottingham; Noah Mendelsohn; www-tag@w3.org List
> Subject: Re: Draft finding - "Transitioning the Web to HTTPS"
> Not an argument against https-everything but would anyone say that the web could have been taken into another more interesting direction with "built in" Web Crypto-based request encryption (built in means not downloaded as a script but built into the browser) and web servers that encrypt the response using the user's public key. Why would we need a centralized certificate authority? Why do we assign the authority to a 3rd party? If my browser can detect the sever's capability, gets it's public key and automatically encrypts every request I send to it then what would be the reason for having a certificate authority? 
> Sent from my iPhone
>>> On Dec 12, 2014, at 1:59 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> On Fri, Dec 12, 2014 at 9:55 PM, Paul Libbrecht <paul@hoplahup.net> wrote:
>>> But not UI has appeared doing that.
>> I'm hopeful for https://letsencrypt.org/ to make this easy over time 
>> (and eventually simply the default with shared hosting setups). Until 
>> then dealing with the UI mess that is StartSSL or paying a bit for 
>> SSLMate is the way to go.
>> --
>> https://annevankesteren.nl/
Received on Saturday, 13 December 2014 16:03:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC