W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: HTTP 2.0 mandatory security vs. Amateur Radio

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 14 Nov 2013 09:56:04 +0000
Message-ID: <52849E34.1080306@cs.tcd.ie>
To: Bruce Perens <bruce@perens.com>, ietf-http-wg@w3.org

Hi Bruce,

On 11/14/2013 05:07 AM, Bruce Perens wrote:
> Amateur radio, commonly referred to as "ham radio", is prohibited from using 
> encryption to obscure the message content by both international law (an ITU 
> treaty) and its implementations in the national law of most nations. However, we 
> can use encryption that /doesn't/ obscure message content for the purposes of 
> authentication. Use of an https URL over an Amateur Radio connection would be a 
> rule violation.
> 
> Although I am well able to discuss the rationale for the prohibition of 
> encryption, that's probably off-topic for this list. Please take it as a given 
> that it's necessary and we like it this way. Anyone who wishes to know more can 
> email me directly.

Well, I don't think its that simple to be honest. If there are
good reasons to prefer the status quo that's fine, but that
treaty is a fairly old thing and I think the argument that we
should hold up security improvements in the web on that basis
is not at all compelling. One could equally argue that today's
common use of crypto for communication on the Internet and the
web indicates that that treaty is now past its sell-by date.
(I do realise that's not a usefully actionable argument for
ham radio users.)

Occasionally we're told that there are places in the world
where current crypto is illegal (usually without reference to
specific laws), but we nonetheless use strong crytpo in our
protocols, going all the way back to RFC 1984. And we're right
to do that. So your argument would also apply to an IPsec VPN
but yet I don't see an argument that such VPNs ought only
use AH and not ESP.

> Radio Amateurs use wifi-like networks, using 802.11 equipment on its usual 
> frequencies or transverting it to other frequencies, and sometimes with a lot 
> more power than non-licensed users are allowed.

There could be an interesting workshop paper on how HTTP/2.0
would run over AX.25 for sure. Has anyone done that? I'd
wonder if there are other non-security features of HTTP/2.0
(as currently proposed) that would make it more or less
well suited for use in such networks.

> Although our routers often run OpenWRT or something similar so that we can add 
> ham-specific protcols, we  use off-the-shelf computing equipment, operating 
> systems, and web browsers.
> 
> It would cause us some significant pain if web browsers stopped enabling 
> unencrypted http connections. We'd have to proxy https to http before we allowed 
> the signal on to Amateur frequencies, in order to remain in legal compliance.

Yes, that's true. The same is true for people who do DTN experiments
(like me) where we have tried out various ways to get HTTP traffic
to very odd places using RFC 5050. Now while ham radio is a much
more real use-case than DTN, personally I think that the good for
the billions of users of the web should outweigh the needs of such
tiny communities in general.

Cheers,
S.

> I doubt we're the only people in the world who must, or would rather, have their 
> communications in the clear.
> 
>      Thanks
> 
>      Bruce Perens K6BP
> 
Received on Thursday, 14 November 2013 09:56:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC