[whatwg] fixing the authentication problem

[Eduard Pascual]

On Tue, Oct 21, 2008 at 3:48 PM, Aaron Swartz <me at aaronsw.com> wrote:
> There are three costs to SSL:
>
> 1. Purchasing a signed cert.
> 2. Configuring the web server.
> 3. The CPU time necessary to do the encryption.
>
> 1 could be fixed by less paranoid UAs, 2 could be fixed with better
> software and SNI, and 3 could be fixed by better hardware. But,
> realistically, I don't see any of these things happening.
There is a difference between something having a cost, and that cost
being expensive:
(1) is definitely expensive (I know that first-hand), and most
probably out of the reach for any non-revenue website.
(2) is not expensive: currently, many server management software
already handles this decently (I'm right now thinking of CPanel, one
of the most widely deployed utilities of this type, and it allows
installing a certificate with just a few clicks).
(3) Your suggestion is not addressing that point: encryption will
still be done by the client, and decryption by the server.

In addition, for the first cost; I'm still convinced that UAs should
be fixed, because their paranoid behavior is generally wrong. I don't
think this spec should deal with browsers' bugs and paranoias on
aspects that are not strictly HTML-related; even less to specify
workarounds to these bugs that require browsers to duplicate the tasks
that are currently showing these bugs. What makes you think browsers
would behave less paranoically to your approach than to self-signed
certificates? OTOH, changing the messages show to the user when
self-signed certificates are encountered to be more informative and
less missleading should be far easier than adding a new hook to
trigger encryption (the former only requires reviewing and updating
some texts to something that makes sense, while the later involves
changes on the way forms are handled, which would require additional
testing and might arise even new bugs). That's, however, only my point
of view.