W3C home > Mailing lists > Public > www-tag@w3.org > February 2015

Re: Considering the pressure to turn HTTPS into a three-party protocol

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 16 Feb 2015 13:30:45 +1100
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <8BD423B8-51CD-4507-854C-3A539503B3BA@mnot.net>
To: Ryan Sleevi <sleevi@google.com>
Hi Ryan,

> On 16 Feb 2015, at 12:54 pm, Ryan Sleevi <sleevi@google.com> wrote:
> On Sun, Feb 15, 2015 at 5:25 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> My point is that in the currently deployed Web, users are allowing "bad guys" -- even if well-intentioned ones -- onto their systems without understanding what they're doing. While this is always going to be the case (e.g., downloaded binaries), we have what amount to undocumented features in the Web platform which encourage it.
> Does this mean that the next activity for the TAG is to issue a draft
> finding on antivirus solutions, how they're implemented, and what they
> communicate to the user?

That's a straw-man, but I have seen some browser vendors interested in defining APIs to give limited access to antivirus solutions, with appropriate constraints. Don't think that's a TAG deliverable, but it's possibly interesting work.

> I don't mean to be snarky, but merely to highlight that this is a
> problem regardless of whether you're talking CA certificates, split
> browsers, extensions, browser helpers, performance tuners, registry
> cleaners, ram doublers, free games, desktop buddies, or any number of
> the hundreds of other things people will download and run on their
> machines. Are we to suggest that these are all now undocumented
> features of the Web platform, simply because they may affect how the
> users' machine operates (and therefore, accesses the Web?)

CA certs and extensions are built into all of the major browsers. We don't have to solve all of the problems in computer security to improve users' understanding of how they're using the Web.

> I would strongly disagree that this is, by any means, some
> "undocumented feature of the Web platform". Even if we were to accept
> that as true (a mistake, I believe), then its very nature should
> suggest that it's not the purview of the W3C, but of the IETF - land
> of protocols and best practices and deployments. After all, why
> shouldn't the behaviour of a TLS client be discussed in the same fora
> where TLS implementation is discussed?

Because the TLS WG defines the TLS protocol, not how it's used.

> Why wouldn't the discussion of
> HTTP proxies be better discussed where HTTP proxies are defined - such
> as HTTPbis?

Because HTTP is used by many applications, not just Web browsers, and because of that we've already tried and failed to do so.

> I appreciate the consideration to "think about the users," but I
> disagree with both the premise and the suggested result.

I didn't yet suggest a result, beyond general handwaving about education and looking into the problem...

> Your concern
> that this is a "browser problem" further disturbs me for the scope.
> Does this mean to suggest that the W3C TAG will have finding on how
> "enterprise managable" browsers are, with a similar opinion?


>> I don't want to get expectations (or your fears) too inflamed -- this may just end up being an education campaign (perhaps with EFF?) along with some discussions around how there can be better alignment between certain features of browsers, along with better documentation around them.
> And here again, I would suggest, the W3C is the wrong forum for this.
> If you wish to discuss Best Community Practice for HTTP
> intermediaries, why not go where HTTP intermediaries are defined - the

Answered above.

> If you wish to discuss ways in which the Web PKI operates in
> practice, why not go discuss in the WebPKI Ops WG?

Because it looks pretty dead. And, see below.

> If you wish to
> discuss whether TLS with server-only authentication should be expected
> to provide End to End security, why not discuss in the TLS WG?

Again, protocol.

> If you
> wish to discuss how TLS is used in applications, why not discuss in
> the UTA (Using TLS in Applications) WG?

Because this is a question of how the Web is presented to and understood by end users, and the W3C firmly owns that, not the IETF. Clearly you don't like it as a venue, but it's what we've got. Though if the WHATWG has an opinion, I'd be happy to chat.

Again, I'm not yet proposing that the TAG produce any technical documents.


Mark Nottingham   https://www.mnot.net/
Received on Monday, 16 February 2015 02:31:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 16 February 2015 02:31:25 UTC