- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sat, 13 Dec 2014 17:58:30 +0100
- To: Marc Fawzi <marc.fawzi@gmail.com>
- Cc: Domenic Denicola <d@domenic.me>, Anne van Kesteren <annevk@annevk.nl>, Paul Libbrecht <paul@hoplahup.net>, Tim Bray <tbray@textuality.com>, Chris Palmer <palmer@google.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
- Message-ID: <CAKaEYhJpoacyc80ik9-_Bb1pCE_QSqg2--tQGx7dBTTrsv2Z+g@mail.gmail.com>
On 13 December 2014 at 17:02, Marc Fawzi <marc.fawzi@gmail.com> wrote: > Will do , but if the server's public key is swapped by an attacker the > server won't be able to decrypt the request that was encrypted with the > attacker's key, so that would be a way to detect an attack. > > Just trying to get to the essence if why Web Crypto exists and if there us > any scenario under which it can make CA's redundant. After all, CA scheme > is not without problems. Even if everything about issuing and renewing > certificates is automated it's still an old world paradigm where some > central authority is in charge of issuing users the right to a very basic > activity (communicating between A and B) it's like the Department of Motor > Vehicles. At the very least, it's about record keeping. At the very worst > CA's will be able to revoke certificates or be compromised by powerful > parties. > > With all the brains and deep practical expertise at TAG and IETF couldn't > the web get a completely decentralized security model? Has the TAG proven > the theoretical impossibility of having a purely p2p security model that > does not involve CAs? > > this ultimate question is useless to ask anywhere except here. So I hope > it justifies all the other related questions ... > Note : wikipedia on X.509 "It can be used in a peer-to-peer, web of trust, but was rarely used that way" Three projects that I know of that try to decentralize SSL/TLS are: 1. WebID TLS -- http://www.w3.org/2005/Incubator/webid/spec/ , http://webid.info/ 2. Convergence -- http://en.wikipedia.org/wiki/Convergence_(SSL) 3. Monkeysphere -- http://web.monkeysphere.info/ There may be be more. Some members of the TAG have been quite helpful with (1), but none of these have yet achieved a critical mass, as it is hard to convince browser manufacturers to back decentralized SSL efforts, at least so far. Hopefully 2015 and letsencrypt may mark a turning point. I think it would be a good goal for the TAG to push for a more secure web in parallel to pushing for an easier and cheaper SSL and one with more opportunities for decentralized innovation to be on a level playing field with centralized. > > Sent from my iPhone > > > On Dec 12, 2014, at 8:18 PM, Domenic Denicola <d@domenic.me> wrote: > > > > I really don't want to spend too much time delving into debunking of > do-it-yourself crypto schemes, but to just give you an idea: how does the > browser get the server's public key over an untrusted channel? > > > > I'd encourage you to take such questions to another venue like > StackOverflow. > > > > -----Original Message----- > > From: Marc Fawzi [mailto:marc.fawzi@gmail.com] > > Sent: Friday, December 12, 2014 22:48 > > To: Anne van Kesteren > > Cc: Paul Libbrecht; Melvin Carvalho; Tim Bray; Chris Palmer; Bjoern > Hoehrmann; Mark Nottingham; Noah Mendelsohn; www-tag@w3.org List > > Subject: Re: Draft finding - "Transitioning the Web to HTTPS" > > > > Not an argument against https-everything but would anyone say that the > web could have been taken into another more interesting direction with > "built in" Web Crypto-based request encryption (built in means not > downloaded as a script but built into the browser) and web servers that > encrypt the response using the user's public key. Why would we need a > centralized certificate authority? Why do we assign the authority to a 3rd > party? If my browser can detect the sever's capability, gets it's public > key and automatically encrypts every request I send to it then what would > be the reason for having a certificate authority? > > > > Sent from my iPhone > > > >>> On Dec 12, 2014, at 1:59 PM, Anne van Kesteren <annevk@annevk.nl> > wrote: > >>> > >>> On Fri, Dec 12, 2014 at 9:55 PM, Paul Libbrecht <paul@hoplahup.net> > wrote: > >>> But not UI has appeared doing that. > >> > >> I'm hopeful for https://letsencrypt.org/ to make this easy over time > >> (and eventually simply the default with shared hosting setups). Until > >> then dealing with the UI mess that is StartSSL or paying a bit for > >> SSLMate is the way to go. > >> > >> > >> -- > >> https://annevankesteren.nl/ > > >
Received on Saturday, 13 December 2014 16:58:58 UTC