On Mon, Mar 24, 2014 at 9:51 AM, Daniel Kahn Gillmor
<[email protected]> wrote:
> On 03/24/2014 12:36 PM, Keith Moore wrote:
>
>> So, what's the incentive for either clients or servers to support OE if
>> clients just silently accept it without any indication to the user?
>> Just for the good of mankind?
>
> I'd say "to increase the cost of pervasive monitoring" and "to resist
> surveillance by passive attackers"
I'd go further - OE for HTTP could have strong auth added to it in the
future, such as pinning or DANE, which *could* be indicated to the
user.
So encryption-without-WebPKI is not just a step away from strong auth,
it's also a step towards
encryption-without-WebPKI-BUT-WITH-EASIER-STRONG-AUTH.
I think a lot of the concern around OE is about the "second-order"
effect of discouraging strong-auth ("it's encrypted, why do more?"),
but I think this a different second-order effect ("I can do pinning
without needing a cert!") which should be considered.
Trevor
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
