W3C home > Mailing lists > Public > www-tag@w3.org > October 2014

Re: Comments on the EME opinion

From: Mark Watson <watsonm@netflix.com>
Date: Thu, 23 Oct 2014 14:40:08 -0700
Message-ID: <CAEnTvdAzgbZJ-Wy8GscUQ6uD8M-oCoBsjNLwnVtS7-80ukwN5w@mail.gmail.com>
To: Domenic Denicola <domenic@domenicdenicola.com>
Cc: David Dorwin <ddorwin@google.com>, Henri Sivonen <hsivonen@hsivonen.fi>, www-tag <www-tag@w3.org>
On Thu, Oct 23, 2014 at 2:11 PM, Domenic Denicola <
domenic@domenicdenicola.com> wrote:

> From: Mark Watson [mailto:watsonm@netflix.com]
>
> > Well, obviously, it's not something anyone would be "for", if there was
> an alternative.​
>
> The existence of an alternative to these kind of one-by-one deals and
> coding setups is the entire idea the TAG feedback is driving at.
>

​Sure, and it is by no means a new idea.

I'm fairly sure that if such a solution was available we would be using it.
I don't think the absence of such solutions is for want of smart people
trying.​ If you have some ideas for overcoming the various obstacles I
mentioned, I'd love to hear them.


>
> > ​Large content providers are not all going to migrate to HTTPS overnight.
>
> Just thinking out loud, but have you considered a flag day? E.g., the spec
> says that after 2015-XX-XX, all implementations require secure origins.
> This should be encoded in implementations in a testable way out of the box,
> so that e.g. setting your system clock forward will trigger it. That would
> give enough time for content providers to migrate while avoiding the
> situation of shipping an insecure implementation forever.
>
> I imagine there are lots of holes to poke in this idea...
>
>
​A little more generally, w
​hen you talk about migrating large chunks of the web to HTTPS you ar​e
talking about asking industry to expend large sums of money. You're also
talking about a need to develop new technologies to handle HTTPS at scale -
at least we believe some new technology is needed. I think we need to
consider what strategies are most likely to be successful in getting
private businesses to spend that kind of money and to get the technologies
developed. It's the sort of thing where you need to build consensus around
a manageable and realistic plan and certainly such a plan could include
target dates. I would not expect any kind of unilateral
fiat
​from a ​
standards organization
​or anyone else ​
to be very well-received.

...Mark
Received on Thursday, 23 October 2014 21:40:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:06 UTC