Re: Considering the pressure to turn HTTPS into a three-party protocol

Hey Ryan,

*nod* - that response isn't entirely unexpected.

Your invocation of Law #2 is interesting, but I think that much of the focus to date has been on corporate laptops, etc. -- where Law #2 is a given. 

My point is that in the currently deployed Web, users are allowing "bad guys" -- even if well-intentioned ones -- onto their systems without understanding what they're doing. While this is always going to be the case (e.g., downloaded binaries), we have what amount to undocumented features in the Web platform which encourage it.

I don't want to get expectations (or your fears) too inflamed -- this may just end up being an education campaign (perhaps with EFF?) along with some discussions around how there can be better alignment between certain features of browsers, along with better documentation around them.

Cheers,


> On 16 Feb 2015, at 12:04 pm, Ryan Sleevi <sleevi@google.com> wrote:
> 
> Mark,
> 
> I had a lot more written, but realized it's best to keep things short
> and simple:
> 
> a) No, not in scope
> b) Important, in an abstract sense, but not in the www-tag as a specific item
> c) Absolutely not
> 
> As a browser security person, particularly one who has been involved
> in certificate pinning and transparency, I would just add that the
> reason for not adding such controls is not about fear of losing users.
> It's about remembering the classic immutable laws of security. In
> particular, Rule #2 applies [1].
> 
> There's a lot more I can say on this - as you know from our
> discussions in person on this topic, our emails, and our Tweets - but
> I suspect it would do better just to make it clear that I don't think
> it'd be a productive endeavor for the TAG to engage in, and just move
> on.
> 
> [1] https://technet.microsoft.com/library/cc722487.aspx#EJAA
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 16 February 2015 01:26:16 UTC