Re: Proposed Statement on "HTTPS everywhere for the IETF"

Paul Wouters <paul@nohats.ca> Mon, 01 June 2015 21:27 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85A521A0046 for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 14:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDia2twd0SGq for <ietf@ietfa.amsl.com>; Mon, 1 Jun 2015 14:27:46 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A7A51A002F for <ietf@ietf.org>; Mon, 1 Jun 2015 14:27:46 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3m0qNJ36J7z1Hc; Mon, 1 Jun 2015 23:27:44 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=X1Hl881r
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id cDNHnqrKN5eQ; Mon, 1 Jun 2015 23:27:43 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 1 Jun 2015 23:27:43 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 5C70C8002E; Mon, 1 Jun 2015 17:27:40 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1433194060; bh=CsJnye0qJt4E7BZdz1YiySV0zB5wW1ymB+mgY3CJXNQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=X1Hl881rlzaWwBaqNd/CEfLe22M7u3LTpuhF/lq8JU/pl0hV944/Vh1yAPZ+6KKNY aR4tE4GUvC6hwvJPdZHP8tS8w9Z1YYPITvbYC/55kxqhjFI1w49KM4/nSpF13CeYGB heMWxqOu3Czve93CnoJdG2I2jG+w4MMVJ8QwYApk=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t51LRdeX016792; Mon, 1 Jun 2015 17:27:40 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 1 Jun 2015 17:27:39 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Niels Dettenbach <nd@syndicat.com>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
In-Reply-To: <1472054.O9DP0qoCQf@gongo>
Message-ID: <alpine.LFD.2.11.1506011720390.12155@bofh.nohats.ca>
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com> <CAL02cgRPFooA5fVFwvdprb3wPD+Y55pD+7RWjkACDv7T_TBW5Q@mail.gmail.com> <1472054.O9DP0qoCQf@gongo>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/yyxwKcXRZxZAF4bBq5ZBnOvVbX8>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 21:27:48 -0000

On Mon, 1 Jun 2015, Niels Dettenbach wrote:

> - And: there ARE poeples and services which doen't allow encrypted access for
> legal or organisational reasons - it would not be nice to block interested
> poeples from such user "societies" which are not usually free to decide for an
> alternative byself.

And that resoning is exactly how we _got_ into this mess in the first
place. We had to cater to governments banning encryption for its users,
and we now see what that got them. I can no longer prevent goverments
interpreting my online self based on 20 years of data, but I sure hope
we can prevent that for future generations. We should have said no to
governments in the previous crypto war - and we definitely have to say
no now.

Enterprise users are no problem, they have enterprise-issued local policy
and can override all the TLS they want with MITM certs and proxies and
mandated software on the enterprise hardware.

> And for me personal: I use a 7 year old cell phone to read http stuff in my
> spare time and do not understand why i should buy a new one for the very same
> application.

A cell phone that cannot do SSL/TLS (or worse, 7 year old SSL only) is
a danger to its owner and possibly to the internet at large if it is
owned by botnets already.

Paul