Re: https at ietf.org

[ned+ietf@mauve.mrochek.com]

> On Thu, Nov 7, 2013 at 8:54 AM, <ned+ietf@mauve.mrochek.com> wrote:

> >
> > > The trust that the
> > > Government(s) will only tap the traffic of those that are a grave concern
> > > to their security interests has completely vanished.
> >
> > That doesn't trump the need for access to our materials to be as open as
> > possible.
> >

> Hmm, what does “open” mean? Maximally accessible technologically, or
> maximally accessible without any worry about who might be watching?  The
> answer isn’t obvious at all.

Mandating https on IETF web sites won't prevent people from seeing the access.
And thay may well constitute a reason to worry. Indeed, the fact that content
isn't observable may make the access more problematic in certain places, not
less.

So let's not pretend this accomplishes the goal of eliminating worry about
who may be watching, OK?

> This is a discussion that needs to happen at much greater length and depth,
> and outside not just inside the IETF community.  But, FYI, there are a
> substantial number of people who feel like the sane response to pervasive
> surveillance is pervasive encryption.  And if you encrypt “only the
> controversial stuff”, you make encryption itself controversial, and its use
> a red flag for those currently attacking the Internet.

Ah yes, the old postcard argument. I didn't really buy it when Phil Zimmerman
made it ~20 years ago and I don't really buy it now, because it fails to take
traffic analysis into account. And if there's one thing we have learned from
the recent disclosures, it's that traffic analysis is a big deal.

But this is the thing about opportunistic encryption: We can make the shift to
mostly using envelopes without having to abandon or inconvenience lots of
people and without compromising our mission in the process.

				Ned