On Tue, Mar 25, 2014 at 1:09 PM, Trevor Perrin <[email protected]> wrote:
> On Mon, Mar 24, 2014 at 9:51 AM, Daniel Kahn Gillmor > <[email protected]> wrote: > > On 03/24/2014 12:36 PM, Keith Moore wrote: > > > >> So, what's the incentive for either clients or servers to support OE if > >> clients just silently accept it without any indication to the user? > >> Just for the good of mankind? > > > > I'd say "to increase the cost of pervasive monitoring" and "to resist > > surveillance by passive attackers" > > I'd go further - OE for HTTP could have strong auth added to it in the > future, such as pinning or DANE, which *could* be indicated to the > user. > Please be cautious about suggesting user indications. UI is complicated and all that. More specifically in the browser case, even if you could strongly authenticate a connection over which you request a http:// page, I wouldn't want to give that page the https lock treatment. Note that https:// has different semantics (referer semantics, mixed content, etc). If you are loading http:// subresources like scripts over insecure connections, then even though the page may have been loaded over a secure connection, it's still insecure. I assume that OE for HTTP wouldn't opportunistically upgrade a http:// page to https:// page semantics, as that would introduce lots of web compatibility issues. > > So encryption-without-WebPKI is not just a step away from strong auth, > it's also a step towards > encryption-without-WebPKI-BUT-WITH-EASIER-STRONG-AUTH. > > I think a lot of the concern around OE is about the "second-order" > effect of discouraging strong-auth ("it's encrypted, why do more?"), > but I think this a different second-order effect ("I can do pinning > without needing a cert!") which should be considered. > > > Trevor > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta >
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
