On Wed, Nov 19, 2014 at 1:45 AM, Henri Sivonen <hsivo...@hsivonen.fi> wrote:
> > Does Akamai's logo appearing on the Let's Encrypt announcements change > Akamai's need for OE? (Seems *really* weird if not.) > let's encrypt is awesome - more https is awesome. The availability of let's encrypt (or something like it) was certainly taken into consideration in the OE thinking. The idea has been kicking around for a while from lots of orgs so it was forseeable someone would pull it off - but huge kudos to our partnership for doing it as that really is powerful and will help the web. Its also a feather in Mozilla's cap. I'm really excited about it. OE plus Let's Encrypt is exactly the manifestation of walking and chewing gum at the same time that I referred to earlier. We're working hard at this to improve things on multiple fronts and the ideas are not at odds with each other. Ciphertext as the new plaintext is meant to cover situations where people won't run https. Kudos for let's encrypt helping make that a smaller market, but it doesn't solve all the use cases of http:// (nor does OE - but it reaches potentially more of them). These include legacy content and urls, third-party mixed content, regulatory compliance, CA-risk, non-access to webpki. A hosting or CDN provider doesn't control all of those things - especially the legacy and mixed content. But they can compatibly improve the transport experience and they're interested in doing that. So to answer your question without having a partner discussion on dev-platform, the folks interested in deploying OE foresaw let's encrypt (or something like it) and are still interested in OE. There are basically 2 arguments against OE here: 1] you don't need OE because everyone can run https and 2] OE somehow undermines https I don't buy them because [1] remains a substantial body of data and [2] is unsubstantiated speculation and borders on untested FUD. I understand that google is the loudest voice - yet these realities impact them as well if you look at their actions on google.com. Google, despite being the leading industry player in making admirable herculean efforts at deploying sophisticated https, still also runs lots of http:// services such as nosslsearch, gstatic, and google-analytics. The cost of a cert isn't what is holding them back from making those services https only - and they are the best case scenario for a party being both interested and capable. fwiw - nobody would be happier than me if [1] dwindled to 0 and OE was moot, I just think it will be a super long time in coming and in the interim we can substitute some of that plaintext with ciphertext and that's a win for our users. -P _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
