W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re[2]: multiplexing -- don't do it

From: Adrien W. de Croy <adrien@qbik.com>
Date: Tue, 03 Apr 2012 01:55:46 +0000
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Robert Collins" <robertc@squid-cache.org>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <em8f257426-a20c-4e46-b655-aed6ecc50ed0@BOMBED>

------ Original Message ------
From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
>
>
>On 04/03/2012 12:22 AM, Robert Collins wrote: 
>>This seems rather timely: 
>>
>>http://www.telegraph.co.uk/technology/news/9179087/Internet-activity-to-be-monitored-under-new-laws.html 
>>
>
>And not timely but relevant: 
>
>http://tools.ietf.org/html/rfc2804 
  
  
OK, thanks for pointing that out.
  
We are at a slightly different juncture than we were in 2000.
  
It seems to me, the issue of mandatory SSL is far from put to rest.
  
In relation to RFC2804, it's one thing to take a position of not taking 
a position, which is fine and completely reasonable.
  
It's another to promote a protocol that explicitly goes against the 
wishes of governments, and therefore creates problems for implementors, 
potentially criminalises users and implementors.  Thats doesn't equate 
to not taking a position.
  
Even if we put wiretapping issues aside, there are plenty of other 
reasons why it's IMO unfeasible to make SSL/TLS mandatory, and these 
relate mainly to administrative, security, and infrastructural issues.  
  
We simply are not at a place where deployment of SSL certificates 
beyond the realms of technically proficient operators is feasible to 
support.
  
We don't have a viable deployable alternative to certificates.  
Shared-secret is not viable for the web at large.
  
We are also not at a place where we've solved the issues relating to 
certificate verification. OCSP servers are a highly central point of 
failure (with enormous consequences) and go down. 
  
We didn't even touch on deployability of TLS/SSL into tiny footprints, 
or the non-zero costs in terms of latency and CPU / RAM at various 
points in the network.
Arguments about users right for privacy are political arguments, and 
fall afoul of RFC 2804 on the other side.
  
Corporates also have a right and an increasing requirement to know what 
their resources are being used for.  This requirement is getting 
stronger not weaker, as countries around the world roll out laws around 
internet copyright abuse.  For instance in NZ, there's a 3 strike 
system now, with large fines etc.  Companies need to be able to protect 
themselves from liability for their users' actions.

I don't really have much more on the topic of mandatory-to-use SSL.  In 
the end, if that's where the specs go, we are just escalating the arms 
race, which simply incurs cost on the users of these protocols, for 
which history may not thank us.  We'll just have all the pain of 
everyone having to deploy SSL, and we'll get MITM as well.
Cheers
Adrien

  
>
>S 
>
>>-Rob 
>>
>>
>
Received on Tuesday, 3 April 2012 01:56:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:59 GMT