W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Mon, 26 Jan 2015 20:11:45 -0700
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-Id: <20150126201145.14774018d499a1e334bf49a0@bisonsystems.net>
Noah Mendelsohn wrote:
> 
> Mark Nottingham wrote:
>
> > While I agree with you in spirit — we should be building a Web for
> > the long term, and we should allow unintended reuse — this seems
> > like an argument that “we shouldn’t do X because it might reduce
> > utility in undefined, far-future circumstances,” and that’s a VERY
> > high bar to get past. It’s also one that AFAICT we haven’t applied
> > to any other decision made at the W3C.
> 
> I buy your concern up to a point, but I think the case can be made
> that caching has shown its utility often and in many distributed
> systems, including until fairly recently (some argue still) on the
> Web.
> 

More broadly, I'd say that intermediary participation in network
communications has shown its utility. Not just caches, but malware/
virus/spam gateways which recognize both :25 and webmail, for example.
None of which are necessarily caches; just the sort of baby that gets
thrown out with the bathwater, when intermediary participation gets
redefined as simply a concern over "YAGNI" caching to justify its
demise.

> 
> Whichever path we choose is a gamble. Maybe a balanced analysis would
> indeed suggest the emerging emphasis on https, but I confess that at
> times the discussion has seemed a bit weighted toward presuming that
> it is.
> 

My problem entirely, to the point I find it worth re-iterating that I'm
not against privacy, merely the assumption that TLS is the only
solution to that problem. My argument has been mis-characterized as pro
HTTP-digest, but I really only bring that up as a starting point -- a
better HTTP-auth scheme, including end-to-end integrity checking, seems
a viable alternative to the status quo. And one which must be falsified,
before continuing to endorse said status quo.

-Eric
Received on Tuesday, 27 January 2015 03:12:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC