Re: Considering the pressure to turn HTTPS into a three-party protocol

On Sun, Feb 15, 2015 at 5:25 PM, Mark Nottingham <mnot@mnot.net> wrote:
> My point is that in the currently deployed Web, users are allowing "bad guys" -- even if well-intentioned ones -- onto their systems without understanding what they're doing. While this is always going to be the case (e.g., downloaded binaries), we have what amount to undocumented features in the Web platform which encourage it.

Does this mean that the next activity for the TAG is to issue a draft
finding on antivirus solutions, how they're implemented, and what they
communicate to the user?

I don't mean to be snarky, but merely to highlight that this is a
problem regardless of whether you're talking CA certificates, split
browsers, extensions, browser helpers, performance tuners, registry
cleaners, ram doublers, free games, desktop buddies, or any number of
the hundreds of other things people will download and run on their
machines. Are we to suggest that these are all now undocumented
features of the Web platform, simply because they may affect how the
users' machine operates (and therefore, accesses the Web?)

I would strongly disagree that this is, by any means, some
"undocumented feature of the Web platform". Even if we were to accept
that as true (a mistake, I believe), then its very nature should
suggest that it's not the purview of the W3C, but of the IETF - land
of protocols and best practices and deployments. After all, why
shouldn't the behaviour of a TLS client be discussed in the same fora
where TLS implementation is discussed? Why wouldn't the discussion of
HTTP proxies be better discussed where HTTP proxies are defined - such
as HTTPbis?

I appreciate the consideration to "think about the users," but I
disagree with both the premise and the suggested result. Your concern
that this is a "browser problem" further disturbs me for the scope.
Does this mean to suggest that the W3C TAG will have finding on how
"enterprise managable" browsers are, with a similar opinion?

> I don't want to get expectations (or your fears) too inflamed -- this may just end up being an education campaign (perhaps with EFF?) along with some discussions around how there can be better alignment between certain features of browsers, along with better documentation around them.

And here again, I would suggest, the W3C is the wrong forum for this.
If you wish to discuss Best Community Practice for HTTP
intermediaries, why not go where HTTP intermediaries are defined - the
HTTP WG? If you wish to discuss ways in which the Web PKI operates in
practice, why not go discuss in the WebPKI Ops WG? If you wish to
discuss whether TLS with server-only authentication should be expected
to provide End to End security, why not discuss in the TLS WG? If you
wish to discuss how TLS is used in applications, why not discuss in
the UTA (Using TLS in Applications) WG?

Received on Monday, 16 February 2015 01:55:14 UTC