Re: Proposed Statement on "HTTPS everywhere for the IETF"

Eliot Lear <lear@cisco.com> Tue, 02 June 2015 04:44 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03391ACE9F for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 21:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 56penRmXCPu4 for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 21:44:08 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1DEF1ACEA1 for <ietf@ietf.org>; Mon, 1 Jun 2015 21:44:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3338; q=dns/txt; s=iport; t=1433220247; x=1434429847; h=message-id:date:from:mime-version:to:subject:references: in-reply-to; bh=R5gZuLn6ggFDoyQfoxtF4LysEJZkrJlvS9nuBvMNYTM=; b=CVrLFUNQtz53e/1yIB9tM610h3u5JeO7HxKBFFgcj7zLDZyYw8okz+mw UdD6igTVL2W3bAetfxMWuFZ/L/tITT9O6FUnLZyM5SF2MYDnXyJcq0ASS wuiGNjqyOIv4798WpKcusKpRGJgTOezZLmh3/lm29/9XyMBP6/kSJgu13 U=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DjAwCCM21V/xbLJq1bg2Regx67PwmBWoV3AoFrFAEBAQEBAQGBCoQjAQEEI1URCxgJFgsCAgkDAgECAUUTBgIBARCIGQ20XqQaAQEBBwIBGwSLQ4QZdBaCUoFFAQSVIoFDYYZggSuDc4JejzwjYYMZPDEBgQuBOwEBAQ
X-IronPort-AV: E=Sophos;i="5.13,537,1427760000"; d="asc'?scan'208";a="507387488"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP; 02 Jun 2015 04:44:05 +0000
Received: from [10.61.71.170] (ams3-vpn-dhcp1962.cisco.com [10.61.71.170]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id t524i5QN006139 for <ietf@ietf.org>; Tue, 2 Jun 2015 04:44:05 GMT
Message-ID: <556D3495.7090205@cisco.com>
Date: Tue, 02 Jun 2015 06:44:05 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com>
In-Reply-To: <20150601164359.29999.35343.idtracker@ietfa.amsl.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="sNskvFNu9D0oEB38wC5H64OCUI2lHb7B9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/bz84yaa5nd6Hg9I69k95Gg58XOM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 04:44:09 -0000

If I understand the intent of this statement, that this is for IETF
services to be encrypted via TLS at this point in time, and that clear
text will continue to be supported, then I strongly support that tooling
approach, statement or no statement, being pursued by the secretariat. 
I support this approach not because the IETF communications contain
massive amounts of private data (I wouldn't imagine this is not true),
but because we need to be eating our own dog food so that we understand
the sorts of pitfalls others will face when we emplore them to encrypt. 
This way we can first face those issues and perhaps address them.

It would be helpful to understand what this statement will mean in
practical terms in the near future.  If what we are saying is that the
secretariat will pursue alternatives to the current rsync / ftp
approaches, that's fine.  It's what I was suggesting in the last round
of discussions.  Is git in our near future (not objecting, just wondering)?

With regard to plain text, it would be helpful if the secretariat could
report how much plaintext is actually accessed, and if at all possible,
by the number of different "users", so that we can determine when – if
ever – to turn off plain text.  It may also help us understand if there
are certain geographies that are not accessing encrypted information.

And yes, as always, I prefer decisions to be documented in RFCs but I
care far less in this case, since it is a policy that would direct the
secretariat and not participants.

Eliot

On 6/1/15 6:43 PM, The IESG wrote:
> Hi All,
>
> The IESG are planning to agree an IESG statement on "HTTPS Everywhere
> for the IETF," please see [1] for the current text.
>
> We are seeking community feedback on this and welcome assistance
> from the community in identifying any cases where a change or
> additional guidance is needed to put this into effect.
>
> The IESG plans to finalise this statement just after IETF-93 in Prague.
>
> * Please send general feedback intended for discussion to ietf@ietf.org
>
> * Comments about specific issues arising can be sent to iesg@ietf.org
> or tools-discuss@ietf.org as appropriate (use iesg@ietf.org if not sure)
>
> Regards,
> Terry & Stephen (for the IESG)
>
> [1] https://trac.tools.ietf.org/group/iesg/trac/wiki/HttpsEverywhere
>
>
>