IETF Logo Mail Archive

Re: Last Call: <draft-nottingham-safe-hint-05.txt> (The "safe" HTTP Preference) to Proposed Standard

Dave Crocker <dhc@dcrocker.net> Fri, 24 October 2014 14:41 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B37C41A040C for <ietf@ietfa.amsl.com>; Fri, 24 Oct 2014 07:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ypNSYf6BKskF for <ietf@ietfa.amsl.com>; Fri, 24 Oct 2014 07:41:55 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E38A31A0406 for <ietf@ietf.org>; Fri, 24 Oct 2014 07:41:55 -0700 (PDT)
Received: from [172.20.8.179] (50-78-253-44-static.hfc.comcastbusiness.net [50.78.253.44]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id s9OEfdD8022770 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 24 Oct 2014 07:41:45 -0700
Message-ID: <544A651B.6030605@dcrocker.net>
Date: Fri, 24 Oct 2014 10:41:31 -0400
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Mark Nottingham <mnot@mnot.net>, IETF <ietf@ietf.org>
Subject: Re: Last Call: <draft-nottingham-safe-hint-05.txt> (The "safe" HTTP Preference) to Proposed Standard
References: <53217238-CF32-4862-AFF1-15899AAE066C@mnot.net> <544A4FAA.3080505@cs.tcd.ie>
In-Reply-To: <544A4FAA.3080505@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.66]); Fri, 24 Oct 2014 07:41:46 -0700 (PDT)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/V2CBeK0EsBtpJusrGgRbRiNPf60
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 14:41:57 -0000

On 10/24/2014 9:10 AM, Stephen Farrell wrote:
>> This isn't relevant, as it's in LC now and no extensibility is
>> allowed (as John points out).
> 
> I think that's wishful thinking. There is nothing to stop
> someone writing code or an I-D that extends this say to
> have a UA to emit "Prefer: safe+religion-porn+crypto" as a
> string and nor should there be something to prevent that.
> (Bad as it is, we can't and shouldn't try prevent it.)

What you've offered can be used to defeat any and all proposals:

     Some unknown person might, at some unknown time in the future, do
something that might be problematic.

Any spec can be abused.  Some actually are.  Some aren't.

There is a concrete specification in front of the IETF.  It is simple
and it minimally builds on existing practice.

Evaluation of the spec should be of the spec.  Not on some vague and
hypothetical fear that someone might abuse it.


If you have concrete data to substantiate your fear, please provide it.


>> Safe lines up the incentives very well; sites want to give the users
>> the content they prefer. This is demonstrated on search engines,
>> social network sites, and so on.
> 
> I am not convinced of that. The proponents of DNT turned out
> to be wrong, but presumably didn't think they were wrong when
> they proposed DNT to the IETF. 

DNT was a ready-fire-aim effort.  It created a reporting mechanism but
without any follow-through to formulate and assure back-end benefit.

The current specification is fundamentally different because it is based
on existing practice.  So there is already a basis for believing that
users will want it and find it useful.


> I'll also note that there are some actors here who are incented
> to censor the Internet, and they will I think, welcome this.

So now you are arguing that some unknown set of actors might have
questionable motives.  Again, that's irrelevant. The issue is whether
the specification makes sense.

The specification enables a voluntary mechanism, tapping into an
existing capability that has already been shown to be desired and useful.


> I have explicitly heard some government folks equate the word
> safe with "unencrypted."

The specification defines its use of the term, as IETF specifications
usually do.  So the fact that someone, somewhere has used the term
differently isn't all that relevant.

(What is ironic about your vocabulary objection is how comfortable you
remain with use of the word 'security' in 'opportunistic security' in
spite of its having no precise meaning and long-established usage that
is ambiguous and wrong. Even better is that the actual substance of the
draft using the term is only about encryption.  So you are equating
encryption and security, which is a particularly unfortunate ambiguation...)


d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email