Re: Proposed Statement on "HTTPS everywhere for the IETF"

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 01 June 2015 22:54 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 356F21A1A98 for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 15:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1tUjJ8FbPJC for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 15:54:27 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B1D71A19FE for <ietf@ietf.org>; Mon, 1 Jun 2015 15:54:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 49A81BED5; Mon, 1 Jun 2015 23:54:25 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id al0J_GBJwMii; Mon, 1 Jun 2015 23:54:21 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.31.250]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 521F5BED9; Mon, 1 Jun 2015 23:54:21 +0100 (IST)
Message-ID: <556CE29C.6040503@cs.tcd.ie>
Date: Mon, 01 Jun 2015 23:54:20 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Roland Dobbins <rdobbins@arbor.net>, ietf@ietf.org
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <CAL02cgRPFooA5fVFwvdprb3wPD+Y55pD+7RWjkACDv7T_TBW5Q@mail.gmail.com> <1472054.O9DP0qoCQf@gongo> <alpine.LFD.2.11.1506011720390.12155@bofh.nohats.ca> <FACB397F-15AA-4FE1-ABF2-1545ABBACF31@arbor.net>
In-Reply-To: <FACB397F-15AA-4FE1-ABF2-1545ABBACF31@arbor.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/EToXr-YhcHFHNhKL0_lwXnH8oDw>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 22:54:29 -0000


On 01/06/15 23:41, Roland Dobbins wrote:
> 
> On 2 Jun 2015, at 4:27, Paul Wouters wrote:
> 
>> We had to cater to governments banning encryption for its users, and
>> we now see what that got them.
> 
> They just go around the encryption and compromise the endpoints. 
> They're *governments*, so they have the resources to do that (not
> debating whether or not they should, just stating observed fact).

The proposed statement itself quotes two apparent counter examples
where (allegedly:-) governments used man on the side attacks and
at apparently significant scale.

> 
> Also, universal or near-universal encryption is a serious problem in
> terms of detection, classification, traceback, and mitigation of
> application-layer DDoS attacks.  It drastically limits the scaling
> capacity of defenders, and results in even more cost asymmetry between
> defenders and attackers (in favor of the attackers).

Please contribute concrete text on the technical details of that
to [1]. We do need to document the changes (including downsides)
caused by encrypting more. Text is very welcome for that. (Best
sent to saag@ietf.org or the authors.)

   [1] https://tools.ietf.org/html/draft-mm-wg-effect-encrypt

> 
> My guess is that those who make bold, sweeping statements about how
> everything ought to be encrypted all the time are rarely those who have
> to deal with the unintended consequences of overencryption.

I hope that this discussion doesn't go down the purely distracting
rathole of statements like "everything ought to be encrypted all
the time" - that is as related to this statement as pixie dust
security solutions are to reality, regardless of what position one
adopts in relation to encryption.

That said, I suppose it's inevitable that this discussion at least
looks at the top of that rathole;-) I do hope it's a passing glance
only though.

> 
> In the final analysis, there are no technical solutions for social ills.
>  The entire issue of unwanted surveillance by government entities is a
> social and political problem; it seems pretty clear that since the
> social/political side of things aren't proving to be easily resolved,
> that some folks are advocating doing *something*, *anything*,
> irrespective of whether it will actually make a positive impact on the
> conditions to which they object and without regard to the non-trivial
> side-effects of what they're advocating.
> 
> The IESG and the IETF in general should concentrate on technical issues,
> and work on solving social and political problems should take place in
> other, more appropriate appropriate fora, IMHO.

I don't see how that corresponds to the proposed IESG statement at
all.

S.


> 
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
> 
> 
>