On Tue, Mar 25, 2014 at 4:47 PM, Trevor Perrin <[email protected]> wrote: > On Tue, Mar 25, 2014 at 1:24 PM, William Chan (陈智昌) > <[email protected]> wrote: >> On Tue, Mar 25, 2014 at 1:09 PM, Trevor Perrin <[email protected]> wrote: >>> >>> On Mon, Mar 24, 2014 at 9:51 AM, Daniel Kahn Gillmor >>> <[email protected]> wrote: >>> > On 03/24/2014 12:36 PM, Keith Moore wrote: >>> > >>> >> So, what's the incentive for either clients or servers to support OE if >>> >> clients just silently accept it without any indication to the user? >>> >> Just for the good of mankind? >>> > >>> > I'd say "to increase the cost of pervasive monitoring" and "to resist >>> > surveillance by passive attackers" >>> >>> I'd go further - OE for HTTP could have strong auth added to it in the >>> future, such as pinning or DANE, which *could* be indicated to the >>> user. >> >> >> Please be cautious about suggesting user indications. UI is complicated and >> all that. More specifically in the browser case, even if you could strongly >> authenticate a connection over which you request a http:// page, I wouldn't >> want to give that page the https lock treatment. Note that https:// has >> different semantics (referer semantics, mixed content, etc). > > Good points, thanks. Maybe adding other auth methods to HTTP-over-TLS > would be best done silently, with no UI unless a security failure > occurs?
Sadly this doesn't work. If I can imitate the website because of a WebPKI failure, I can pretend to not support whatever additional auth is done. It's the reason OCSP stapling doesn't work. Furthermore, taking an economic perspective, authentication has a winner-take-all aspect to it. A new client has to support the authentication everyone already uses. But a site only has to support the authentication the client accepts. Any new authentication mechanism will only be adopted in domains where the existing one doesn't work. Sincerely, Watson Ladd > > I think I like that, as I think catching "badness" is more useful than > indicating "goodness". But these are hard Qs, I'm just trying point > out some possibilities at this point. > > > Trevor > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
