> But that would no longer be about HTTP. At least as far as the things > we've been talking about exposing in browsers are concerned.
Lots of things speak over http that arent (permenently) connected to the global web / dns, why is that not of any concern? On 21 November 2014 16:09, Anne van Kesteren <ann...@annevk.nl> wrote: > On Fri, Nov 21, 2014 at 3:53 PM, Patrick McManus <mcma...@ducksong.com> > wrote: > > nosslsearch.google.com is an example of the weight of regulatory > compliance > > in action. Google talks loudly about all https (and has the leading track > > record), yet there it is. And google isn't special in that regard. > > Why would they be allowed to use OE? > > > >> I.e. Let's Encrypt going away somehow? > > > > More generally being dependent on a CA is an additional third party > > operational risk when comparing http:// vs https://.. you're already > > dependent on your DNS provider and an ISP and now your fate is also > linked > > to the CA that signed your cert too. e.g. at the most basic level not > > revoking it on you - but also not doing something dumb unrelated to you > > that gets the signing cert your CA used tossed out of UAs (again). > > That risks seems tiny compared to the risk of having an end user > man-in-the-middled. > > > >>> non-access to webpki. > >> > >> Does this mean intranets? > > > > mostly.. but more generally things that don't bind well to the global dns > > that the webpki relies on.. so potentially peer to peer and mesh > > interactions too.. > > But that would no longer be about HTTP. At least as far as the things > we've been talking about exposing in browsers are concerned. > > > -- > https://annevankesteren.nl/ > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
