Re: https at

t.p. <> Thu, 07 November 2013 11:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E797821E80D4 for <>; Thu, 7 Nov 2013 03:15:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.582
X-Spam-Status: No, score=-3.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3e+wRv6Krvzf for <>; Thu, 7 Nov 2013 03:15:05 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 578A411E80E4 for <>; Thu, 7 Nov 2013 03:15:04 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server id; Thu, 7 Nov 2013 11:15:03 +0000
Received: from mail74-va3 (localhost []) by (Postfix) with ESMTP id 0C277A0169; Thu, 7 Nov 2013 11:15:03 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI;; RD:none; EFVD:NLI
X-SpamScore: -15
X-BigFish: PS-15(zz98dI9371Ic89bh542I1432Izz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h20f7h1d1ah1d2ah1fc6hzz1b3f39h1de098h1033IL8275bh8275dh1de097h186068hz2dh2a8h5a9h839h93fhd24hf0ah1177h1179h1288h12a5h12a9h12bdh137ah139eh13b6h1441h1504h1537h162dh1631h1758h17f1h184fh1898h18e1h1946h19b5h19ceh1ad9h1b0ah2222h224fh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1e23h2218h2216h304l1d11m1155h)
Received: from mail74-va3 (localhost.localdomain []) by mail74-va3 (MessageSwitch) id 1383822901605760_8016; Thu, 7 Nov 2013 11:15:01 +0000 (UTC)
Received: from (unknown []) by (Postfix) with ESMTP id 8F2EE3C003E; Thu, 7 Nov 2013 11:15:01 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 7 Nov 2013 11:15:01 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.16.371.2; Thu, 7 Nov 2013 11:14:56 +0000
Message-ID: <055201cedbaa$412fd4a0$>
From: t.p. <>
To: Tim Bray <>, <>
References: <><><> <>
Subject: Re: https at
Date: Thu, 7 Nov 2013 11:12:04 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: []
Content-Transfer-Encoding: quoted-printable
Cc: IETF-Discussion Discussion <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Nov 2013 11:15:22 -0000

----- Original Message -----
From: "Tim Bray" <>
To: <>
Cc: "IETF-Discussion Discussion" <>
Sent: Wednesday, November 06, 2013 2:35 AM

I disagree. I can’t think of an scenario in which a human who
to use IETF publications would not have access to an HTTPS-capable user
agent.  -T

I want access to IETF publications in order to contribute to the
standards process and I have access to a very fine, HTTPS-capable user
agent (supplied by Microsoft).  It works with almost every web site in
the world, but not with the IETF's.

For any https:// link, the initial html is downloaded, the CRL is
downloaded and .....
zilch, nothing, a blank screen and a little globe that spins for hours.

Quite what is wrong with the IETF certificate chain's CRL I do not know,
but I do know that the IETF website is inaccessible with HTTPS.  Of
course, I can turn off CRL checking and it works perfectly.  Which I
think is a good summary of where we have got to with security (and no,
OCSP is not out there yet).

This thread started with a design and, as other messages on this thread
have pointed out, it would seem that that design, https, is largely
irrelevant to the actual requirement, namely authentication; but the
IETF has
designed a very fine hammer, namely https, so let's get to work with the

Tom Petch

On Tue, Nov 5, 2013 at 6:21 PM, <> wrote:

> > I don't see reason to use https for delivery of public documents
> > as RFCs and Internet Drafts. All that would really accomplish is
> > reduce caching opportunities.
> I don't have any problem with making things available via https, but
> needs
> to be possible to retrieve things with regular http. Not everything
> retrieved by a browser and not every tool out there supports https.
>                                 Ned