Re: Proposed Statement on "HTTPS everywhere for the IETF"

"John Levine" <johnl@taugh.com> Tue, 02 June 2015 01:23 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF351A87C3 for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 18:23:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.663
X-Spam-Level: *
X-Spam-Status: No, score=1.663 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3ssU6asmASw for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 18:23:20 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C9211A87C2 for <ietf@ietf.org>; Mon, 1 Jun 2015 18:23:20 -0700 (PDT)
Received: (qmail 88246 invoked from network); 2 Jun 2015 01:23:27 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 2 Jun 2015 01:23:27 -0000
Date: 2 Jun 2015 01:22:56 -0000
Message-ID: <20150602012256.31331.qmail@ary.lan>
From: "John Levine" <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
In-Reply-To: <alpine.LFD.2.11.1506011720390.12155@bofh.nohats.ca>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/uC9ElRiWRWL8Ne6jepv7YesC4hY>
Cc: paul@nohats.ca
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 01:23:21 -0000

>> - And: there ARE poeples and services which doen't allow encrypted access for
>> legal or organisational reasons - 

It doesn't have to be anything that deliberate.  On my mobile phone, I
run into web sites all the time where for some reason the phone
doesn't like the SSL certificate and makes it very difficult to click
through.  They work fine on my Mac and Linux boxes, so who knows
what's wrong.  Given the absurd number of CAs, it's probably some
mismatch of intermediate certs, and I could track it down and fix it
eventually, but in the meantime, it would be nice if I still had the
option to look at the fripping stuff.

We should be able to assume our users are big girls and boys who can make
reasonable tradeoffs in the face of the inevitable failure of some of the
moving parts.

R's,
John