On Sun, Nov 17, 2013 at 7:15 AM, mutek <mutek(_at_)riseup(_dot_)net> wrote:
there is another point to take into account:
switching to a CA based web means kill the natural peering nature of the
web
I can easy publish a plain http html page on my router without ask for
permission at any CA out there and the client Firefox shows it
forcing a new crypto-web based on the actual CA multilevel grants could
kill the web as we know now
They can't do that. The most they can do is to write a document that
requires use of TLS to do HTTP/2.0. Which not incidentally is exactly what
was originally tried with IPSEC and IPv6.
What I predict the outcome of such a choice would be is takeup of HTTP 2.0
limited to very large sites. Which does not seem to worry the companies
active in the HTTP/2.0 work.
Fortunately that is not the only option for preventing passive
surveillance. We could add an ephemeral DH keying mechanism to HTTP/1.1 and
encrypt only the content. This does not protect metadata in the headers but
does limit the scope of hoovering the net very greatly.
Security is hard and right now TLS is the only security mechanism that is a
success. Whatever else we do in response to Snowdonia, we must not weaken
TLS to make it practical to use pervasively.
--
Website: http://hallambaker.com/