Re: Proposed Statement on "HTTPS everywhere for the IETF"

John C Klensin <> Wed, 03 June 2015 20:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 46BC41A90DD for <>; Wed, 3 Jun 2015 13:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yiU6zu21iF2x for <>; Wed, 3 Jun 2015 13:42:11 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B66461A8860 for <>; Wed, 3 Jun 2015 13:42:11 -0700 (PDT)
Received: from [] ( by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1Z0FUD-0007bk-Ha; Wed, 03 Jun 2015 16:42:05 -0400
Date: Wed, 03 Jun 2015 16:42:00 -0400
From: John C Klensin <>
To: Stephen Farrell <>, "Cullen Jennings (fluffy)" <>,
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
Message-ID: <>
In-Reply-To: <>
References: <> <> <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Jun 2015 20:42:13 -0000

--On Wednesday, June 03, 2015 21:18 +0100 Stephen Farrell
<> wrote:

>> Take a hum at next plenary and find out if people want the
>> IETF to actually use security or not.
> Maybe a hum at a plenary is a bit too large a hammer to bring
> out for this fairly modest nail.


Independent of the substance of the statement itself -- for the
reasons Tony Hain and others have given and because, as you
point out, things have been available over HTTPS for years and
this is just a change in defaults, this still feels to me more
like theater than like something substantive.  Maybe that is ok
-- theater is sometimes useful.

However, if, in your view and that of the IESG this is a "fairly
modest nail", then I have to question whether the IESG might
have better ways to allocate and prioritize its time and that of
the community.  Put differently, this is either significant
enough (substantively or as theater) to justify whatever time
the IESG has spent on it and will spend in the future, plus the
time the community is spending reading, commenting, and reacting
to comments, or it is not.   If it is not, then the IESG has
made a bad decision about the use of its time and the time of
the community regardless of whether, in a perfect world, HTTPS
would be the default.

So how modest and minor do you really think it is?