Re: Proposed Statement on "HTTPS everywhere for the IETF"

<l.wood@surrey.ac.uk> Tue, 02 June 2015 12:00 UTC

Return-Path: <l.wood@surrey.ac.uk>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 732241ACF17 for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 05:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3aLbaQd1mduo for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 05:00:54 -0700 (PDT)
Received: from mail1.bemta5.messagelabs.com (mail1.bemta5.messagelabs.com [195.245.231.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2546F1A700F for <ietf@ietf.org>; Tue, 2 Jun 2015 05:00:53 -0700 (PDT)
Received: from [85.158.136.51] by server-13.bemta-5.messagelabs.com id B1/D2-19853-4FA9D655; Tue, 02 Jun 2015 12:00:52 +0000
X-Env-Sender: l.wood@surrey.ac.uk
X-Msg-Ref: server-7.tower-49.messagelabs.com!1433246451!29056053!1
X-Originating-IP: [131.227.200.43]
X-StarScan-Received:
X-StarScan-Version: 6.13.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 23418 invoked from network); 2 Jun 2015 12:00:52 -0000
Received: from exht022p.surrey.ac.uk (HELO EXHT022P.surrey.ac.uk) (131.227.200.43) by server-7.tower-49.messagelabs.com with AES128-SHA encrypted SMTP; 2 Jun 2015 12:00:52 -0000
Received: from EXHY021V.surrey.ac.uk (131.227.200.104) by EXHT022P.surrey.ac.uk (131.227.200.43) with Microsoft SMTP Server (TLS) id 8.3.342.0; Tue, 2 Jun 2015 13:00:51 +0100
Received: from emea01-db3-obe.outbound.protection.outlook.com (131.227.200.4) by EXHY021v.surrey.ac.uk (131.227.200.104) with Microsoft SMTP Server (TLS) id 14.3.224.2; Tue, 2 Jun 2015 13:00:51 +0100
Received: from DB4PR06MB457.eurprd06.prod.outlook.com (10.141.238.15) by DB4PR06MB458.eurprd06.prod.outlook.com (10.141.238.19) with Microsoft SMTP Server (TLS) id 15.1.172.22; Tue, 2 Jun 2015 12:00:49 +0000
Received: from DB4PR06MB457.eurprd06.prod.outlook.com ([10.141.238.15]) by DB4PR06MB457.eurprd06.prod.outlook.com ([10.141.238.15]) with mapi id 15.01.0172.012; Tue, 2 Jun 2015 12:00:49 +0000
From: <l.wood@surrey.ac.uk>
To: <jari.arkko@piuha.net>, <mnot@mnot.net>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
Thread-Topic: Proposed Statement on "HTTPS everywhere for the IETF"
Thread-Index: AQHQnIpN6VdBLrz+YkuVYdvl9F3Ogp2ZBHmAgAAUegCAAAUw3Q==
Date: Tue, 2 Jun 2015 12:00:49 +0000
Message-ID: <DB4PR06MB457BF6355CD4CB064AF1FCCADB50@DB4PR06MB457.eurprd06.prod.outlook.com>
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <3383C786-8549-4356-99A4-75786B3CCD83@mnot.net>, <249FA10E-1BFA-4DB4-A42F-8D3B74866F97@piuha.net>
In-Reply-To: <249FA10E-1BFA-4DB4-A42F-8D3B74866F97@piuha.net>
Accept-Language: en-AU, en-US
Content-Language: en-AU
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [124.169.12.90]
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB4PR06MB458;
x-microsoft-antispam-prvs: <DB4PR06MB4585A6143E8FFC52B263DC2ADB50@DB4PR06MB458.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(520003)(5005006)(3002001); SRVR:DB4PR06MB458; BCL:0; PCL:0; RULEID:; SRVR:DB4PR06MB458;
x-forefront-prvs: 05954A7C45
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(377454003)(106356001)(102836002)(92566002)(76576001)(106116001)(77096005)(40100003)(74482002)(2950100001)(122556002)(15975445007)(68736005)(105586002)(33656002)(77156002)(62966003)(19580405001)(66066001)(189998001)(5001770100001)(50986999)(76176999)(101416001)(4001540100001)(81156007)(64706001)(19580395003)(87936001)(5002640100001)(2900100001)(86362001)(46102003)(5001860100001)(2656002)(54356999)(5001830100001)(97736004)(5001960100002)(74316001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB4PR06MB458; H:DB4PR06MB457.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: surrey.ac.uk does not designate permitted sender hosts)
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2015 12:00:49.1096 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6b902693-1074-40aa-9e21-d89446a2ebb5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR06MB458
X-OrganizationHeadersPreserved: DB4PR06MB458.eurprd06.prod.outlook.com
X-OriginatorOrg: surrey.ac.uk
X-CrossPremisesHeadersPromoted: EXHY021v.surrey.ac.uk
X-CrossPremisesHeadersFiltered: EXHY021v.surrey.ac.uk
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/anC3wBbXwz6t3vakZDHq_Ezf-Ek>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 12:00:56 -0000

see TimBL's "don't break the web" request to keep the uris the same, regardless of method of access.

http://www.w3.org/DesignIssues/Security-NotTheS.html
________________________________________
From: ietf <ietf-bounces@ietf.org> on behalf of Jari Arkko <jari.arkko@piuha.net>
Sent: Tuesday, 2 June 2015 9:41:08 PM
To: Mark Nottingham
Cc: ietf@ietf.org
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"

Mark:

> I support this policy.

Thanks.

> I'd suggest that if it's felt that cleartext content needs to be available, it NOT be at <http://www.ietf.org/> (and similar); it should be on a different hostname; e.g., <http://www.cleartext.ietf.org/>. The http version of the URL should 301 to the corresponding https resource, and HSTS should be in use.

That’s very good feedback - thanks. We will take it into consideration.

Jari