On Friday, November 14, 2014 6:25:43 PM UTC+11, Henri Sivonen wrote: > This is obvious to everyone reading this mailing list. My concern is > that if the distinction between http and https gets fuzzier, people > who want "encryption" but who want to avoid ever having to pay a penny > to a CA will think that http+OE is close enough to https that they > deploy http+OE when if http+OE didn't exist, they'd hold their nose, > pay a few dollars to a CA and deploy https with a publicly trusted > cert (now that there's more awareness of the need for encryption).
Could I just interject at this point (while apologising for my general rudeness and lack of technical security knowledge). The issue isn't that people are cheapskates, and will lose 'a few dollars'. The issue is that transaction costs <http://en.wikipedia.org/wiki/Transaction_cost> can be crippling. Another problem is that the whole CA system is equivalent to a walled-garden, in which a small set of 'trusted' individuals (ultimately) restrict or permit what everyone else can see. It hasn't caused problems in the history of the internet so far, because a non-centralised alternative exists. (An alternative that is substantially more popular *precisely* *because* of transaction costs and independence.) This means it's currently a difficult environment for a few mega-CAs (and governments) to exercise any power. A CA-only internet changes that environment radically. I'm unsurprised that Google doesn't think this is an issue. If they do something that (largely invisibly but substantially) increases the internet's http://en.wikipedia.org/wiki/Barriers_to_entry , it reduces diversity on the internet, but otherwise doesn't affect Google very much. (Actually, it may do, since it will make glorified hosting services like Facebook much more popular still over independent websites.) However, there is a special onus on Mozilla to think through *all* the social implications of what it does. Security is *never* pure win; there is *always* a trade off that society has to make, and I don't see this being considered properly here. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
