On Fri, Nov 21, 2014 at 3:53 PM, Patrick McManus <mcma...@ducksong.com> wrote: > nosslsearch.google.com is an example of the weight of regulatory compliance > in action. Google talks loudly about all https (and has the leading track > record), yet there it is. And google isn't special in that regard.
Why would they be allowed to use OE? >> I.e. Let's Encrypt going away somehow? > > More generally being dependent on a CA is an additional third party > operational risk when comparing http:// vs https://.. you're already > dependent on your DNS provider and an ISP and now your fate is also linked > to the CA that signed your cert too. e.g. at the most basic level not > revoking it on you - but also not doing something dumb unrelated to you > that gets the signing cert your CA used tossed out of UAs (again). That risks seems tiny compared to the risk of having an end user man-in-the-middled. >>> non-access to webpki. >> >> Does this mean intranets? > > mostly.. but more generally things that don't bind well to the global dns > that the webpki relies on.. so potentially peer to peer and mesh > interactions too.. But that would no longer be about HTTP. At least as far as the things we've been talking about exposing in browsers are concerned. -- https://annevankesteren.nl/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform