Security for various IETF services

Stephen Farrell <> Thu, 03 April 2014 16:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 449701A0239 for <>; Thu, 3 Apr 2014 09:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5mhPA6i7ahXn for <>; Thu, 3 Apr 2014 09:21:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5E4151A0268 for <>; Thu, 3 Apr 2014 09:21:40 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 41FB1BE5C for <>; Thu, 3 Apr 2014 17:21:36 +0100 (IST)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pVvknknENkab for <>; Thu, 3 Apr 2014 17:21:36 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 1D8C7BE39 for <>; Thu, 3 Apr 2014 17:21:36 +0100 (IST)
Message-ID: <>
Date: Thu, 03 Apr 2014 17:21:36 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: IETF-Discussion <>
Subject: Security for various IETF services
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Apr 2014 16:21:49 -0000

Hi all,

>From time to time the issue of how to secure IETF services
comes up e.g. whether to turn on TLS for some IETF web server
or jabber or mail etc.

The most recent such was a request to turn on HSTS [1] for
the IETF web site, which I don't think we can do without
breaking old tools etc. Nonetheless we would like to turn
on things like TLS more often going forward as seemed to
me to be the outcome of a long thread on here late last

So, the IESG are considering the following as an IESG
statement to offer some guidance about this:

"The IETF are committed to providing secure and privacy
friendly access to information via the web, mail, jabber
and other services. While most (but not all) data on IETF
services is public, nonetheless access to that data
should use best practices for security and privacy.
However, as there are numerous legacy tools that have been
built that require access via cleartext, the IETF will
continue to allow such access so as not to break such
tooling. New services will however generally only be made
available in ways that use security protocols such as

If you have wordsmithing changes to suggest please just send
those to me or the iesg. More substantive comments should go
here I guess. I hope the only bit worth discussing (except
for the few folks who would rather we do none of this;-)
might be the last sentence.

A few weeks after any discussion here dies down I'll put the
resulting text on an IESG telechat for approval if that seems
like the right thing to do.