Re: Proposed Statement on "HTTPS everywhere for the IETF"

Yoav Nir <ynir.ietf@gmail.com> Thu, 04 June 2015 07:06 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C5781A92EE for <ietf@ietfa.amsl.com>; Thu, 4 Jun 2015 00:06:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNAs7CEr2fca for <ietf@ietfa.amsl.com>; Thu, 4 Jun 2015 00:06:29 -0700 (PDT)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B88B1A92E7 for <ietf@ietf.org>; Thu, 4 Jun 2015 00:06:29 -0700 (PDT)
Received: by wgme6 with SMTP id e6so26100217wgm.2 for <ietf@ietf.org>; Thu, 04 Jun 2015 00:06:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=F/CmZh/EHWrfPbbZckfR5/yibJCfWcVvufn6Ql7TtiY=; b=QK9njmJujaXJ5gBb5+e9e59F+2YeOJ7N4H5PaZWhk55hXvnz1PQnDgrX+GLqu3UDk0 It3Kid2VLAVGkcVquhkUwekaapz4/Wzw2y5nMxMENVuPCei5NLguqgcMnPKbxKmMYOS9 48cB5OAN0TQrvDrtLYGBoVj0Uk2IC/iRSd/fGmuhuPyuwKiS40qWAiG3R5eI54ivt2iu bgawch5VDNdP+xWJnhJa9+cuIFX1NiDFxdW9Dysx5Jv0ZEJ5CvXoXgwi9SsFwvuo+7/g ICg+NssNbSlcEjVxJN+vVh73SP5kXCp1KwPGWjKowddbZQOx8Tby/Zc4NSgzusRe/aHV NT8g==
X-Received: by 10.180.20.12 with SMTP id j12mr47967573wie.4.1433401588061; Thu, 04 Jun 2015 00:06:28 -0700 (PDT)
Received: from [172.24.251.185] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id um5sm4307349wjc.1.2015.06.04.00.06.26 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 04 Jun 2015 00:06:26 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <556FC594.1080900@gmail.com>
Date: Thu, 4 Jun 2015 10:06:23 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <E6B6376E-9C27-41D5-94FF-BA98563C7A86@gmail.com>
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <0ab501d09e37$f4098980$dc1c9c80$@tndh.net> <556F6083.4080801@cs.tcd.ie> <0adf01d09e40$cf957b00$6ec07100$@tndh.net> <556F8339.5030002@cs.tcd.ie> <0b3901d09e73$7dad4740$7907d5c0$@tndh.net> <556FC594.1080900@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/L5JXb3YmFhesJyuOSNWoOeoOrVw>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2015 07:06:31 -0000

> On Jun 4, 2015, at 6:27 AM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
>> I never argued that there is not a general threat to privacy due to recording, just that it does not apply here. My point was that the IETF does not have a general technical REQUIREMENT for privacy. There are many that WANT privacy in everything they do, but that does not equate to a real requirement for the public content of an open organization. Substituting security&pirvacy only makes a bad choice of words worse. The IETF has no business case for either, and if there was a case something would have been done about it long before now. 
> 
> It isn't the content that is private, of course. However, if there are IETF
> participants who require a degree of privacy about their use of IETF public
> information, it is entirely reasonable for the IETF to support that with a
> straightforward measure like HTTPS. As has been pointed out already, that
> is insufficient to provide a high degree of privacy.

That’s a big “if”. I don’t believe there are IETF participants who require privacy about accessing IETF information. 

> Try "...the act of accessing public information required for routine tasks
> can be privacy sensitive *on the user's side*…"

This is very true for Wikipedia, very true about news sites and many other sites. Not the IETF.

> I don't see anything political about that. It's factual.

The statement (made by Richard Barnes, not by the IESG) that the IETF should lead by example and move to all HTTPS is very political. The proposal prioritizes the concerns of some group (small or large) and levies a burden on the entire community (TLS is not free; finding www.cleartext.ietf.org takes effort). That is a political decision. It’s a small one. I agree with John Klensin that this is something the IESG could (and should) have done on its own without starting a discussion on a proposed statement. 

Yoav