ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Proposed Statement on "HTTPS everywhere for the IETF"

2015-06-03 15:16:36
from [Stephen Farrell] [Permanent Link] 

Hi,

On 03/06/15 21:00, Tony Hain wrote:

While I don't object to making the IETF content available via
https/tls, 


That's been done for ages. This just makes it the default. Which
does require some minor changes.


this proposed statement reads as political knee-jerk BS
that is both unnecessary and uncalled for. What the statement MUST
focus on is 'data integrity', and SHOULD NOT stoop to fear mongering
over 'privacy'. 


I have to say the above seems somewhat overstated. (Where my use of
"somewhat" is understatement:-)


"It is public data ..." For the very small subset
that is truly restricted access, it is fine to acknowledge 'privacy'
as a concern, but for the vast majority of the content in question,
'data integrity' is the only real concern.


I would assert that the existence of the dprive WG is good evidence
that the IETF does not consider data-integrity as the only real
concern for public data.

I'd also note that there is no TLS ciphersuite that satisfies BCP195
and that only provides data integrity. That very recent IETF consensus
document says one MUST NOT negotiate any of the ciphersuites with
NULL encryption (essentially outside of testing/debug). So what you
appear to want this statement to say would seem to be inconsistent
with IETF consensus.

Cheers,
S.




As such, I oppose the statement as written. Fix the tone and I will
be a strong supporter.

Tony



-----Original Message----- From: IETF-Announce
[mailto:ietf-announce-bounces(_at_)ietf(_dot_)org] On Behalf Of The IESG 
Sent:
Monday, June 01, 2015 9:44 AM To: IETF Announcement List Subject:
Proposed Statement on "HTTPS everywhere for the IETF"

Hi All,

The IESG are planning to agree an IESG statement on "HTTPS
Everywhere for the IETF," please see [1] for the current text.

We are seeking community feedback on this and welcome assistance
from the community in identifying any cases where a change or
additional guidance is needed to put this into effect.

The IESG plans to finalise this statement just after IETF-93 in
Prague.

* Please send general feedback intended for discussion to
ietf(_at_)ietf(_dot_)org

* Comments about specific issues arising can be sent to
iesg(_at_)ietf(_dot_)org or tools-discuss(_at_)ietf(_dot_)org as appropriate 
(use
iesg(_at_)ietf(_dot_)org if not sure)

Regards, Terry & Stephen (for the IESG)

[1]
https://trac.tools.ietf.org/group/iesg/trac/wiki/HttpsEverywhere
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Proposed Proposed Statement on e-mail encryption at the IETF, Måns Nilsson
Next by Date:  Re: Proposed Statement on "HTTPS everywhere for the IETF", Stephen Farrell
Previous by Thread:  RE: Proposed Statement on "HTTPS everywhere for the IETF", Tony Hain
Next by Thread:  RE: Proposed Statement on "HTTPS everywhere for the IETF", Tony Hain
Indexes:  [Date] [Thread] [Top] [All Lists]