- From: Chris Palmer <palmer@google.com>
- Date: Mon, 22 Dec 2014 11:19:38 -0800
- To: Marc Fawzi <marc.fawzi@gmail.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Domenic Denicola <d@domenic.me>, Tim Berners-Lee <timbl@w3.org>, "Eric J. Bowman" <eric@bisonsystems.net>, Melvin Carvalho <melvincarvalho@gmail.com>, Public TAG List <www-tag@w3.org>
On Sun, Dec 21, 2014 at 9:56 AM, Marc Fawzi <marc.fawzi@gmail.com> wrote: > I have actually been consulting with a friend who is the chief security > expert at a famous public company (cloud infrastructure) and he thinks > people on this list are narrow minded as there are plenty of opportunities > to design a decentralized security model, not one that would necessarily > replace https but could use it to download the script securely (as a browser > extension) and then use it to implement a secure decentralized security > model that would work over http. An appeal to (anonymous) authority is not very convincing. One could do what you describe, but it would always be built on top of the current multiply-centralized secure introduction system (i.e. the web PKI, or "CA system"). For example, downloading extensions securely... how is that done? HTTPS, with client introduced to server by... the web PKI. (Extensions are often additionally code-signed, but again using... centralized introducers.) So, why? What problem would such a system solve? And, why would anyone crave HTTP for a supposedly secure system when HTTPS is available and works well? A decentralized authentication system for e.g. instant messages would be strictly better over HTTPS than over HTTP. > You say convergence.io suffers > from lack of performance Don't forget that it's bad for privacy, too.
Received on Monday, 22 December 2014 19:20:06 UTC