On Nov 6, 2013, at 6:23 PM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
wrote:
Here's what I suggest: A single, simple, conceptual question that supplies
all of the 'guidance' we can legitimately offer, at this stage:
The IETF needs to press for careful attention to privacy
concerns in its work, including protection against surveillance.
[ ] No
[ ] Yes
[ ] Don't Yet Know
[ ] Don't Care
Worded like that? I choose "Yes".
But this has a similar issue to the questions asked in the plenary. It's
similar to the questions "do you want to eliminate crime?", "should your
government have a balanced budget?", "are NATs bad?". Unless you're in the "get
over it" camp on privacy, of course you're going to vote "Yes".
When such attention comes to specific work items, we get tradeoffs against
performance and against ease of deployment. Saying that HTTP/2 will only work
with server authentication (as has been suggested) means that you won't be able
to just turn on a switch and get the better page-load times of HTTP/2. You
would need to get a certificate first, and if your site required a 3-server
cluster, you would need to either add several more nodes to the cluster or buy
an SSL accelerator box. That's the kind of of trade-off we have to think about
when we advocate mandatory-to-use.
Yoav