Re: Proposed Statement on "HTTPS everywhere for the IETF"

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 03 June 2015 20:16 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF79B1A8794; Wed, 3 Jun 2015 13:16:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-vuL9bE8uzi; Wed, 3 Jun 2015 13:16:11 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C2331ACE7F; Wed, 3 Jun 2015 13:16:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 582A1BF07; Wed, 3 Jun 2015 21:16:09 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeSaziyYo40c; Wed, 3 Jun 2015 21:16:07 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.31.250]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id AB4C2BF06; Wed, 3 Jun 2015 21:16:07 +0100 (IST)
Message-ID: <556F6083.4080801@cs.tcd.ie>
Date: Wed, 03 Jun 2015 21:16:03 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Tony Hain <alh-ietf@tndh.net>, ietf@ietf.org, 'IETF Announcement List' <ietf-announce@ietf.org>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <0ab501d09e37$f4098980$dc1c9c80$@tndh.net>
In-Reply-To: <0ab501d09e37$f4098980$dc1c9c80$@tndh.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/CeJyzn45iVK27VET5r2w9AK4Kw4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 20:16:14 -0000

Hi,

On 03/06/15 21:00, Tony Hain wrote:
> While I don't object to making the IETF content available via
> https/tls, 

That's been done for ages. This just makes it the default. Which
does require some minor changes.

> this proposed statement reads as political knee-jerk BS
> that is both unnecessary and uncalled for. What the statement MUST
> focus on is 'data integrity', and SHOULD NOT stoop to fear mongering
> over 'privacy'. 

I have to say the above seems somewhat overstated. (Where my use of
"somewhat" is understatement:-)

> "It is public data ..." For the very small subset
> that is truly restricted access, it is fine to acknowledge 'privacy'
> as a concern, but for the vast majority of the content in question,
> 'data integrity' is the only real concern.

I would assert that the existence of the dprive WG is good evidence
that the IETF does not consider data-integrity as the only real
concern for public data.

I'd also note that there is no TLS ciphersuite that satisfies BCP195
and that only provides data integrity. That very recent IETF consensus
document says one MUST NOT negotiate any of the ciphersuites with
NULL encryption (essentially outside of testing/debug). So what you
appear to want this statement to say would seem to be inconsistent
with IETF consensus.

Cheers,
S.


> 
> As such, I oppose the statement as written. Fix the tone and I will
> be a strong supporter.
> 
> Tony
> 
> 
>> -----Original Message----- From: IETF-Announce
>> [mailto:ietf-announce-bounces@ietf.org] On Behalf Of The IESG Sent:
>> Monday, June 01, 2015 9:44 AM To: IETF Announcement List Subject:
>> Proposed Statement on "HTTPS everywhere for the IETF"
>> 
>> Hi All,
>> 
>> The IESG are planning to agree an IESG statement on "HTTPS
>> Everywhere for the IETF," please see [1] for the current text.
>> 
>> We are seeking community feedback on this and welcome assistance
>> from the community in identifying any cases where a change or
>> additional guidance is needed to put this into effect.
>> 
>> The IESG plans to finalise this statement just after IETF-93 in
>> Prague.
>> 
>> * Please send general feedback intended for discussion to
>> ietf@ietf.org
>> 
>> * Comments about specific issues arising can be sent to
>> iesg@ietf.org or tools-discuss@ietf.org as appropriate (use
>> iesg@ietf.org if not sure)
>> 
>> Regards, Terry & Stephen (for the IESG)
>> 
>> [1]
>> https://trac.tools.ietf.org/group/iesg/trac/wiki/HttpsEverywhere
> 
> 
>