ietf
[Top] [All Lists]

Re: Proposed Statement on "HTTPS everywhere for the IETF"

2015-06-01 23:44:29
If I understand the intent of this statement, that this is for IETF
services to be encrypted via TLS at this point in time, and that clear
text will continue to be supported, then I strongly support that tooling
approach, statement or no statement, being pursued by the secretariat. 
I support this approach not because the IETF communications contain
massive amounts of private data (I wouldn't imagine this is not true),
but because we need to be eating our own dog food so that we understand
the sorts of pitfalls others will face when we emplore them to encrypt. 
This way we can first face those issues and perhaps address them.

It would be helpful to understand what this statement will mean in
practical terms in the near future.  If what we are saying is that the
secretariat will pursue alternatives to the current rsync / ftp
approaches, that's fine.  It's what I was suggesting in the last round
of discussions.  Is git in our near future (not objecting, just wondering)?

With regard to plain text, it would be helpful if the secretariat could
report how much plaintext is actually accessed, and if at all possible,
by the number of different "users", so that we can determine when – if
ever – to turn off plain text.  It may also help us understand if there
are certain geographies that are not accessing encrypted information.

And yes, as always, I prefer decisions to be documented in RFCs but I
care far less in this case, since it is a policy that would direct the
secretariat and not participants.

Eliot

On 6/1/15 6:43 PM, The IESG wrote:
Hi All,

The IESG are planning to agree an IESG statement on "HTTPS Everywhere
for the IETF," please see [1] for the current text.

We are seeking community feedback on this and welcome assistance
from the community in identifying any cases where a change or
additional guidance is needed to put this into effect.

The IESG plans to finalise this statement just after IETF-93 in Prague.

* Please send general feedback intended for discussion to 
ietf(_at_)ietf(_dot_)org

* Comments about specific issues arising can be sent to 
iesg(_at_)ietf(_dot_)org
or tools-discuss(_at_)ietf(_dot_)org as appropriate (use 
iesg(_at_)ietf(_dot_)org if not sure)

Regards,
Terry & Stephen (for the IESG)

[1] https://trac.tools.ietf.org/group/iesg/trac/wiki/HttpsEverywhere





Attachment: signature.asc
Description: OpenPGP digital signature

<Prev in Thread] Current Thread [Next in Thread>