Re: Draft finding - "Transitioning the Web to HTTPS"

Mark Nottingham wrote:
> 
> > Adopting "https://" has the side effect of disallowing shared HTTP
> > caching [RFC7234]. Shared caching has a limited role on the Web
> > today; many high traffic sites either discourage caching with
> > metadata, or disallow it by already using "https://". However,
> > shared caching is still considered desirable by some (e.g., in
> > limited networks); in some cases, it might be so desirable that
> > networks require users to accept TLS Man-in-the-Middle -- which is
> > a bad outcome for Web security overall. Therefore, we encourage
> > exploration of alternative mechanisms that preserve security more
> > robustly, such as certain uses of Subresource Integrity [SRI].
> 
> Is that adequate, and if not, can you suggest edits?
> 

No, it isn't. There's a distinct POV that any desirability of caching
is only a perception of those who fall below the 80/20 line or have
nefarious MitM intent. Which is dismissive of the point I raised about
the demise of Net Neutrality being a distinct possiblity which inverts
the desirability equation to 20/80, shared-caching-wise.

The framing of caching as undesirable takes some wind out of the sails
of encouraging alternatives, whereas re-framing the issue in Net Neut
terms makes it rather more imperative, I should think. The current
wording assumes "all things being equal" which can't be assumed, today.

This point was raised on this list and shouldn't be dismissed by the
TAG without discussion on this list, even to state that my point was
considered and rejected. Which if it was in the minutes, I missed. Even
if I don't propose alternative wording which considers this point. ;-)

-Eric

Received on Monday, 19 January 2015 23:18:55 UTC