Re: Considering the pressure to turn HTTPS into a three-party protocol from Ryan Sleevi on 2015-02-16 (www-tag@w3.org from February 2015)

From: Ryan Sleevi <sleevi@google.com>
Date: Sun, 15 Feb 2015 17:04:01 -0800
To: www-tag@w3.org
Message-ID: <CACvaWvavAMxgEAWVVjXZQBLP7rmAw9DNJ-PXdkmYDMTF+oc=nQ@mail.gmail.com>

Mark,

I had a lot more written, but realized it's best to keep things short
and simple:

a) No, not in scope
b) Important, in an abstract sense, but not in the www-tag as a specific item
c) Absolutely not

As a browser security person, particularly one who has been involved
in certificate pinning and transparency, I would just add that the
reason for not adding such controls is not about fear of losing users.
It's about remembering the classic immutable laws of security. In
particular, Rule #2 applies [1].

There's a lot more I can say on this - as you know from our
discussions in person on this topic, our emails, and our Tweets - but
I suspect it would do better just to make it clear that I don't think
it'd be a productive endeavor for the TAG to engage in, and just move
on.

[1] https://technet.microsoft.com/library/cc722487.aspx#EJAA

Received on Monday, 16 February 2015 01:04:28 UTC