Re: [perpass] TLS discussion
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 18 November 2013 11:47 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10D0511E8180 for <perpass@ietfa.amsl.com>; Mon, 18 Nov 2013 03:47:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.574
X-Spam-Level:
X-Spam-Status: No, score=-104.574 tagged_above=-999 required=5 tests=[AWL=-1.975, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gNxXDN-US2wk for <perpass@ietfa.amsl.com>; Mon, 18 Nov 2013 03:47:00 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 2BBDF11E820D for <perpass@ietf.org>; Mon, 18 Nov 2013 03:46:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 5042CBE4C; Mon, 18 Nov 2013 11:46:51 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQ-Gx3tAcpNT; Mon, 18 Nov 2013 11:46:49 +0000 (GMT)
Received: from [10.87.48.12] (unknown [86.42.27.157]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id B0546BE29; Mon, 18 Nov 2013 11:46:49 +0000 (GMT)
Message-ID: <5289FE29.2040804@cs.tcd.ie>
Date: Mon, 18 Nov 2013 11:46:49 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: "Learmonth, Iain Ross" <iain.learmonth.09@aberdeen.ac.uk>, Phillip Hallam-Baker <hallam@gmail.com>
References: <CAMm+Lwg-AF9fZ5=f5W8JDmiCe=U7Uyxso_bdHGaQhddsQ+aGaw@mail.gmail.com>, <5288E344.1020008@cs.tcd.ie> <7801df6558344b67a684933d4776e294@DB3PR01MB153.eurprd01.prod.exchangelabs.com>
In-Reply-To: <7801df6558344b67a684933d4776e294@DB3PR01MB153.eurprd01.prod.exchangelabs.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: perpass <perpass@ietf.org>
Subject: Re: [perpass] TLS discussion
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 11:47:08 -0000
On 11/18/2013 09:13 AM, Learmonth, Iain Ross wrote: > >> Other foo/tls protocols will also soon have a separate venue [3] >> and we have a TLS working group. So I see little left to discuss >> about TLS on this list to be honest. > >> [3] https://datatracker.ietf.org/doc/charter-ietf-uta/ > > I agree that the HTTP/TLS discussion should be moved to the uta (Using TLS in Applications) mailing list, when one exists, with regard to authentication. It protects far more against active attacks and this list is about preventing passive mass monitoring being useful. > > I think that the discussion relating to the use of TLS for encryption, its effect on proxies and CDNs, and the fact that CDNs are a privacy issue still need discussion here and are relevant to this list. Well, please bear in mind that httpbis are have a HUGE discussion (~100 mails/day) on exactly this for HTTP/2.0 which is raging now, so let's at least punt the discussion here for a few weeks until the immediate work in httpbis settles down. Or dive in there [1], seems like everyone else is doing that already;-) Pretty please? S. [1] http://tools.ietf.org/wg/httpbis/ > The main question: are there times when we would ever want HTTP traffic to not be encrypted? > The secondary question is: how does the trust model for CDNs be improved? I don't believe that third-party CDNs that do caching and have access to private information are a good idea. Maybe we can come up with some best practices like only proxy static content but directly contact for dynamic content that could contain private information and declaring in the cert that you're contacting a CDN instead of the actual site? But then there are no guarantees that people are following them. > > Iain. > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass >
- [perpass] Unauthenticated, ephemeral keying in HT… Phillip Hallam-Baker
- Re: [perpass] Unauthenticated, ephemeral keying i… Brian E Carpenter
- Re: [perpass] Unauthenticated, ephemeral keying i… Ted Lemon
- Re: [perpass] Unauthenticated, ephemeral keying i… Brian E Carpenter
- Re: [perpass] Unauthenticated, ephemeral keying i… Ted Lemon
- Re: [perpass] Unauthenticated, ephemeral keying i… Learmonth, Iain Ross
- Re: [perpass] Unauthenticated, ephemeral keying i… Stephen Farrell
- [perpass] CDNs as wiretaps [Unauthenticated, ephe… Brian E Carpenter
- Re: [perpass] TLS discussion Learmonth, Iain Ross
- Re: [perpass] TLS discussion Stephen Farrell
- Re: [perpass] TLS discussion Phillip Hallam-Baker
- Re: [perpass] TLS discussion Stephen Farrell
- Re: [perpass] CDNs as wiretaps [Unauthenticated, … Eric Burger
- Re: [perpass] CDNs as wiretaps [Unauthenticated, … Learmonth, Iain Ross
- Re: [perpass] CDNs as wiretaps [Unauthenticated, … Stephen Kent