W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

RE: Draft finding - "Transitioning the Web to HTTPS"

From: Domenic Denicola <d@domenic.me>
Date: Sat, 13 Dec 2014 17:29:09 +0000
To: Marc Fawzi <marc.fawzi@gmail.com>
CC: Anne van Kesteren <annevk@annevk.nl>, Paul Libbrecht <paul@hoplahup.net>, Melvin Carvalho <melvincarvalho@gmail.com>, Tim Bray <tbray@textuality.com>, Chris Palmer <palmer@google.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, "Mark Nottingham" <mnot@mnot.net>, Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org List" <www-tag@w3.org>
Message-ID: <CY1PR0501MB136962C3C570BF024DDD14FBDF610@CY1PR0501MB1369.namprd05.prod.outlook.com>
Decentralized security, usually embodied by "web of trust" models, has some advantages but also many disadvantages. I'd encourage you to read up on it, and I hope others who are more knowledgeable can chime in with the best links. It's not a "theoretical impossibility," but I personally would say it's a practical impossibility.

Fundamentally this is all a bootstrapping problem. You have to trust someone to start with, before you can begin exchanging information about other people to trust. Currently we start by trusting the CAs, who tell us we can trust many websites. Web of trust systems take a different approach, which I was about to describe but realized it's pretty complex to explain accurately so best to just go to e.g. https://en.wikipedia.org/wiki/Web_of_trust.

-----Original Message-----
From: Marc Fawzi [mailto:marc.fawzi@gmail.com] 
Sent: Saturday, December 13, 2014 11:03
To: Domenic Denicola
Cc: Anne van Kesteren; Paul Libbrecht; Melvin Carvalho; Tim Bray; Chris Palmer; Bjoern Hoehrmann; Mark Nottingham; Noah Mendelsohn; www-tag@w3.org List
Subject: Re: Draft finding - "Transitioning the Web to HTTPS"

Will do , but if the server's public key is swapped by an attacker the server won't be able to decrypt the request that was encrypted with the attacker's key, so that would be a way to detect an attack. 

Just trying to get to the essence if why Web Crypto exists and if there us any scenario under which it can make CA's redundant. After all, CA scheme is not without problems. Even if everything about issuing and renewing certificates is automated it's still an old world paradigm where some central authority is in charge of issuing users the right to a very basic activity (communicating between A and B) it's like the Department of Motor Vehicles. At the very least, it's about record keeping. At the very worst CA's will be able to revoke certificates or be compromised by powerful parties.

With all the brains and deep practical expertise at TAG and IETF couldn't the web get a completely decentralized security model? Has the TAG proven the theoretical impossibility of having a purely p2p security model that does not involve CAs? 

this ultimate question is useless to ask anywhere except here. So I hope it justifies all the other related questions ... 

Sent from my iPhone

> On Dec 12, 2014, at 8:18 PM, Domenic Denicola <d@domenic.me> wrote:
> I really don't want to spend too much time delving into debunking of do-it-yourself crypto schemes, but to just give you an idea: how does the browser get the server's public key over an untrusted channel?
> I'd encourage you to take such questions to another venue like StackOverflow.
> -----Original Message-----
> From: Marc Fawzi [mailto:marc.fawzi@gmail.com]
> Sent: Friday, December 12, 2014 22:48
> To: Anne van Kesteren
> Cc: Paul Libbrecht; Melvin Carvalho; Tim Bray; Chris Palmer; Bjoern 
> Hoehrmann; Mark Nottingham; Noah Mendelsohn; www-tag@w3.org List
> Subject: Re: Draft finding - "Transitioning the Web to HTTPS"
> Not an argument against https-everything but would anyone say that the web could have been taken into another more interesting direction with "built in" Web Crypto-based request encryption (built in means not downloaded as a script but built into the browser) and web servers that encrypt the response using the user's public key. Why would we need a centralized certificate authority? Why do we assign the authority to a 3rd party? If my browser can detect the sever's capability, gets it's public key and automatically encrypts every request I send to it then what would be the reason for having a certificate authority? 
> Sent from my iPhone
>>> On Dec 12, 2014, at 1:59 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> On Fri, Dec 12, 2014 at 9:55 PM, Paul Libbrecht <paul@hoplahup.net> wrote:
>>> But not UI has appeared doing that.
>> I'm hopeful for https://letsencrypt.org/ to make this easy over time 
>> (and eventually simply the default with shared hosting setups). Until 
>> then dealing with the UI mess that is StartSSL or paying a bit for 
>> SSLMate is the way to go.
>> --
>> https://annevankesteren.nl/
Received on Saturday, 13 December 2014 17:29:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC