----- Original Message -----
From: "Tim Bray" <tbray(_at_)textuality(_dot_)com>
To: <ned+ietf(_at_)mauve(_dot_)mrochek(_dot_)com>
Cc: "IETF-Discussion Discussion" <ietf(_at_)ietf(_dot_)org>
Sent: Wednesday, November 06, 2013 2:35 AM
I disagree. I can’t think of an scenario in which a human who
wants/needs
to use IETF publications would not have access to an HTTPS-capable user
agent. -T
<tp>
I want access to IETF publications in order to contribute to the
standards process and I have access to a very fine, HTTPS-capable user
agent (supplied by Microsoft). It works with almost every web site in
the world, but not with the IETF's.
For any https:// link, the initial html is downloaded, the CRL is
downloaded and .....
zilch, nothing, a blank screen and a little globe that spins for hours.
Quite what is wrong with the IETF certificate chain's CRL I do not know,
but I do know that the IETF website is inaccessible with HTTPS. Of
course, I can turn off CRL checking and it works perfectly. Which I
think is a good summary of where we have got to with security (and no,
OCSP is not out there yet).
This thread started with a design and, as other messages on this thread
have pointed out, it would seem that that design, https, is largely
irrelevant to the actual requirement, namely authentication; but the
IETF has
designed a very fine hammer, namely https, so let's get to work with the
hammer:-(
Tom Petch
On Tue, Nov 5, 2013 at 6:21 PM, <ned+ietf(_at_)mauve(_dot_)mrochek(_dot_)com>
wrote:
I don't see reason to use https for delivery of public documents
such
as RFCs and Internet Drafts. All that would really accomplish is
reduce caching opportunities.
I don't have any problem with making things available via https, but
it
needs
to be possible to retrieve things with regular http. Not everything
gets
retrieved by a browser and not every tool out there supports https.
Ned