Re: Proposed Statement on "HTTPS everywhere for the IETF"

Richard Barnes <rlb@ipv.sx> Tue, 02 June 2015 18:51 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE5511A7003 for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 11:51:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crUoTrZWwbM0 for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 11:51:24 -0700 (PDT)
Received: from mail-la0-f52.google.com (mail-la0-f52.google.com [209.85.215.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C286A1A8747 for <ietf@ietf.org>; Tue, 2 Jun 2015 11:51:21 -0700 (PDT)
Received: by laei3 with SMTP id i3so44936868lae.3 for <ietf@ietf.org>; Tue, 02 Jun 2015 11:51:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=xy84/ZyHoagxPKZmB2xwYi+DnX8Bz27MfQgmiLmQyTY=; b=T3FKNa7shLW2yq01MmgoSmBr7crj5Tf98rcY1SBlLXWuQOLdiLSbW5F1G4b2BGqIZJ FQoFMtDGoHbxMOkYR8LqraJY9yAfBWnwuOOH9l9EQyZEiXoH9q6Jfc9WJSxvJCCDZAum jelJcdPaTgECAck5Bud83mYp4FDLMyhHW2r52CPeGwKbeC7Jl8NblEBBLVoYox0zkS83 OH+0d6+lL94cxER3KEFzvODOTOI24+OUXpN0qu6RZiK4KE18y6cvR1Lt3mfTJU7VKw/+ Mnc2JXmw9VAkhXO0I6OfsfauluPr7FsPvgs+14IkFKCH8+ydOcJQNjaP2JJK3scSw6qz CpDQ==
X-Gm-Message-State: ALoCoQnMRIP1RWnqhsV7Sv4zPHoqBbP6tQD2PquycK2ltOOGYI+kccnCu5/JstvPaZgxdGOMeqaS
MIME-Version: 1.0
X-Received: by 10.112.120.162 with SMTP id ld2mr6859024lbb.68.1433271080314; Tue, 02 Jun 2015 11:51:20 -0700 (PDT)
Received: by 10.25.214.162 with HTTP; Tue, 2 Jun 2015 11:51:20 -0700 (PDT)
In-Reply-To: <556DE0EF.2040809@isi.edu>
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <CAL02cgRPFooA5fVFwvdprb3wPD+Y55pD+7RWjkACDv7T_TBW5Q@mail.gmail.com> <556DE0EF.2040809@isi.edu>
Date: Tue, 2 Jun 2015 14:51:20 -0400
Message-ID: <CAL02cgSdSFOaDqz9+jAZ7KsoMXOa5u=ff_i=c3EQ-SG0-ZPG7A@mail.gmail.com>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
From: Richard Barnes <rlb@ipv.sx>
To: Joe Touch <touch@isi.edu>
Content-Type: multipart/alternative; boundary=047d7beb91b69c003e05178d6df8
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/5qjM2e5QJs4WILYJBMQibYeVpCY>
Cc: "ietf@ietf.org" <ietf@ietf.org>, IETF Announcement List <ietf-announce@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 18:51:25 -0000

On Tue, Jun 2, 2015 at 12:59 PM, Joe Touch <touch@isi.edu> wrote:

> On 6/1/2015 10:16 AM, Richard Barnes wrote:
> > Do it.  Do it boldly and fearlessly.  Make the statement and implement
> it.
> >
> ...
> > Don't be tied to legacy.  Anything that doesn't support HTTPS at this
> > point needs to upgrade and deserves to be broken.
>
> Leaving out the have-nots - or those whose access is blocked by others
> when content cannot be scanned - isn't moving forward.
>

[citation-required]

Where is this place where the entire HTTPS web is not accessible?  How do
they do their banking, or buy things?

That said, though, I agree with you and Ted that there's consensus to
proceed with *adding* HTTPS-based access.  Let's turn on HTTPS and HSTS as
a first step, see how many 9s of the user base that gets us.

--Richard


HTTP isn't legacy. It's open. I thought the IETF was too.
>
> Joe
>
> PS - I noticed you didn't PGP-sign this post. Hello, pot.
>
> (ref: http://en.wikipedia.org/wiki/The_pot_calling_the_kettle_black)
>