Re: Proposed Statement on "HTTPS everywhere for the IETF"

Stephen Farrell <> Mon, 01 June 2015 22:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 356F21A1A98 for <>; Mon, 1 Jun 2015 15:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id T1tUjJ8FbPJC for <>; Mon, 1 Jun 2015 15:54:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0B1D71A19FE for <>; Mon, 1 Jun 2015 15:54:27 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 49A81BED5; Mon, 1 Jun 2015 23:54:25 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id al0J_GBJwMii; Mon, 1 Jun 2015 23:54:21 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 521F5BED9; Mon, 1 Jun 2015 23:54:21 +0100 (IST)
Message-ID: <>
Date: Mon, 01 Jun 2015 23:54:20 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Roland Dobbins <>,
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
References: <> <> <1472054.O9DP0qoCQf@gongo> <> <>
In-Reply-To: <>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Jun 2015 22:54:29 -0000

On 01/06/15 23:41, Roland Dobbins wrote:
> On 2 Jun 2015, at 4:27, Paul Wouters wrote:
>> We had to cater to governments banning encryption for its users, and
>> we now see what that got them.
> They just go around the encryption and compromise the endpoints. 
> They're *governments*, so they have the resources to do that (not
> debating whether or not they should, just stating observed fact).

The proposed statement itself quotes two apparent counter examples
where (allegedly:-) governments used man on the side attacks and
at apparently significant scale.

> Also, universal or near-universal encryption is a serious problem in
> terms of detection, classification, traceback, and mitigation of
> application-layer DDoS attacks.  It drastically limits the scaling
> capacity of defenders, and results in even more cost asymmetry between
> defenders and attackers (in favor of the attackers).

Please contribute concrete text on the technical details of that
to [1]. We do need to document the changes (including downsides)
caused by encrypting more. Text is very welcome for that. (Best
sent to or the authors.)


> My guess is that those who make bold, sweeping statements about how
> everything ought to be encrypted all the time are rarely those who have
> to deal with the unintended consequences of overencryption.

I hope that this discussion doesn't go down the purely distracting
rathole of statements like "everything ought to be encrypted all
the time" - that is as related to this statement as pixie dust
security solutions are to reality, regardless of what position one
adopts in relation to encryption.

That said, I suppose it's inevitable that this discussion at least
looks at the top of that rathole;-) I do hope it's a passing glance
only though.

> In the final analysis, there are no technical solutions for social ills.
>  The entire issue of unwanted surveillance by government entities is a
> social and political problem; it seems pretty clear that since the
> social/political side of things aren't proving to be easily resolved,
> that some folks are advocating doing *something*, *anything*,
> irrespective of whether it will actually make a positive impact on the
> conditions to which they object and without regard to the non-trivial
> side-effects of what they're advocating.
> The IESG and the IETF in general should concentrate on technical issues,
> and work on solving social and political problems should take place in
> other, more appropriate appropriate fora, IMHO.

I don't see how that corresponds to the proposed IESG statement at


> -----------------------------------
> Roland Dobbins <>