Re: Draft finding - "Transitioning the Web to HTTPS" from Melvin Carvalho on 2014-12-13 (www-tag@w3.org from December 2014)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 13 Dec 2014 17:58:30 +0100
To: Marc Fawzi <marc.fawzi@gmail.com>
Cc: Domenic Denicola <d@domenic.me>, Anne van Kesteren <annevk@annevk.nl>, Paul Libbrecht <paul@hoplahup.net>, Tim Bray <tbray@textuality.com>, Chris Palmer <palmer@google.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <CAKaEYhJpoacyc80ik9-_Bb1pCE_QSqg2--tQGx7dBTTrsv2Z+g@mail.gmail.com>

On 13 December 2014 at 17:02, Marc Fawzi <marc.fawzi@gmail.com> wrote:

> Will do , but if the server's public key is swapped by an attacker the
> server won't be able to decrypt the request that was encrypted with the
> attacker's key, so that would be a way to detect an attack.
>
> Just trying to get to the essence if why Web Crypto exists and if there us
> any scenario under which it can make CA's redundant. After all, CA scheme
> is not without problems. Even if everything about issuing and renewing
> certificates is automated it's still an old world paradigm where some
> central authority is in charge of issuing users the right to a very basic
> activity (communicating between A and B) it's like the Department of Motor
> Vehicles. At the very least, it's about record keeping. At the very worst
> CA's will be able to revoke certificates or be compromised by powerful
> parties.
>
> With all the brains and deep practical expertise at TAG and IETF couldn't
> the web get a completely decentralized security model? Has the TAG proven
> the theoretical impossibility of having a purely p2p security model that
> does not involve CAs?
>
> this ultimate question is useless to ask anywhere except here. So I hope
> it justifies all the other related questions ...
>

Note : wikipedia on X.509 "It can be used in a peer-to-peer, web of trust,
but was rarely used that way"

Three projects that I know of that try to decentralize SSL/TLS are:

1. WebID TLS -- http://www.w3.org/2005/Incubator/webid/spec/ ,
http://webid.info/
2. Convergence -- http://en.wikipedia.org/wiki/Convergence_(SSL)
3. Monkeysphere -- http://web.monkeysphere.info/

There may be be more.

Some members of the TAG have been quite helpful with (1), but none of these
have yet achieved a critical mass, as it is hard to convince browser
manufacturers to back decentralized SSL efforts, at least so far.
Hopefully 2015 and letsencrypt may mark a turning point.

I think it would be a good goal for the TAG to push for a more secure web
in parallel to pushing for an easier and cheaper SSL and one with more
opportunities for decentralized innovation to be on a level playing field
with centralized.


>
> Sent from my iPhone
>
> > On Dec 12, 2014, at 8:18 PM, Domenic Denicola <d@domenic.me> wrote:
> >
> > I really don't want to spend too much time delving into debunking of
> do-it-yourself crypto schemes, but to just give you an idea: how does the
> browser get the server's public key over an untrusted channel?
> >
> > I'd encourage you to take such questions to another venue like
> StackOverflow.
> >
> > -----Original Message-----
> > From: Marc Fawzi [mailto:marc.fawzi@gmail.com]
> > Sent: Friday, December 12, 2014 22:48
> > To: Anne van Kesteren
> > Cc: Paul Libbrecht; Melvin Carvalho; Tim Bray; Chris Palmer; Bjoern
> Hoehrmann; Mark Nottingham; Noah Mendelsohn; www-tag@w3.org List
> > Subject: Re: Draft finding - "Transitioning the Web to HTTPS"
> >
> > Not an argument against https-everything but would anyone say that the
> web could have been taken into another more interesting direction with
> "built in" Web Crypto-based request encryption (built in means not
> downloaded as a script but built into the browser) and web servers that
> encrypt the response using the user's public key. Why would we need a
> centralized certificate authority? Why do we assign the authority to a 3rd
> party? If my browser can detect the sever's capability, gets it's public
> key and automatically encrypts every request I send to it then what would
> be the reason for having a certificate authority?
> >
> > Sent from my iPhone
> >
> >>> On Dec 12, 2014, at 1:59 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >>>
> >>> On Fri, Dec 12, 2014 at 9:55 PM, Paul Libbrecht <paul@hoplahup.net>
> wrote:
> >>> But not UI has appeared doing that.
> >>
> >> I'm hopeful for https://letsencrypt.org/ to make this easy over time
> >> (and eventually simply the default with shared hosting setups). Until
> >> then dealing with the UI mess that is StartSSL or paying a bit for
> >> SSLMate is the way to go.
> >>
> >>
> >> --
> >> https://annevankesteren.nl/
> >
>

Received on Saturday, 13 December 2014 16:58:58 UTC