On Sun, Nov 17, 2013 at 7:15 AM, mutek <mutek@xxxxxxxxxx> wrote:
--
Website: http://hallambaker.com/
there is another point to take into account:
switching to a CA based web means kill the natural peering nature of the web
I can easy publish a plain http html page on my router without ask for permission at any CA out there and the client Firefox shows it
forcing a new crypto-web based on the actual CA multilevel grants could kill the web as we know now
They can't do that. The most they can do is to write a document that requires use of TLS to do HTTP/2.0. Which not incidentally is exactly what was originally tried with IPSEC and IPv6.
What I predict the outcome of such a choice would be is takeup of HTTP 2.0 limited to very large sites. Which does not seem to worry the companies active in the HTTP/2.0 work.
Fortunately that is not the only option for preventing passive surveillance. We could add an ephemeral DH keying mechanism to HTTP/1.1 and encrypt only the content. This does not protect metadata in the headers but does limit the scope of hoovering the net very greatly.
Security is hard and right now TLS is the only security mechanism that is a success. Whatever else we do in response to Snowdonia, we must not weaken TLS to make it practical to use pervasively.
Website: http://hallambaker.com/