Re: Draft finding - "Transitioning the Web to HTTPS"

A few points that struck me reading this thread over the last month:

1. Internet of Things and caches

The internet of things is probably going to pretty localised. We imagine sensors in houses, etcÖ
If these sensors use anything to communicate then they would probably be using udp over
tcp/ip. And whatever they do, they probably should not be communicating over the wider
internet, but only within the space at which they are located. ( or else we get huge problems
with privacy ). If that is so then we should imagine a setup where these communicate with
something like a local server. The local server can then communicate over the web with remote
server to exchange larger chunks of information that what any single device can communicate.
So I donít see the case for internet things and internet caches.

2. CAs and DNSsec

The CA system by itself is broken, and it needs to be enhanced by a DNSSec based
mechanism. Protocols for both CA and DNSSEC key registration by web servers should 
be developed. I can think of reasonably simple ways of doing that with the semantic web.
It is not because something is difficult to use at present that it has to remain so. Unix
used to be difficult to use, now it is running most cell phones.

3. Unneeded cryptography

First I think TLS has a mode with 0 encryption. This should of course be visible in the UI.
( just verification that the content has not been changed en route)
This may cover some of the issues brought up, such as those related to encrypting large
video files.

4. Binary Caches

These form the larges amount of data on the web of course, but tend to be things that
donít change very often. With 0 encryption TLS perhaps proxies could be changed
to cache non encrypted content, with the original site publishing a hash of the original 
binary conent. 

One can also imagine URLs for a new protocol that refer to a representation rather
than resources. These would be most useful for binary content. This would allow
any web site to make copies of the content and republish it. This would of course
only work for content that has very open Intellectual Property rights associated with it.

5. Client side certificates

This whole debate has left out the single sign on mechanisms that come with TLS.
Global client authentication is just as useful and important as to create a distributed
social web that is privacy aware.
A protocol to make use of TLS client authentication reducing the cost of it has been 
described by the WebID group. See the WebID-TLS spec here:

This could also be used as a basis to increase the web of trust server side as
described in my presentation at the EU IDentity conference in Switzerland a few
years ago

Just some thoughts,

Henry Story

Social Web Architect

Received on Monday, 19 January 2015 13:45:07 UTC