W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: IAB statement on draft-farrell-perpass-attack-00

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 28 Nov 2013 13:02:11 +1100
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <97F954D5-B47C-4521-B584-B1AB61736225@mnot.net>
To: "William Chan (陈智昌)" <willchan@chromium.org>

On 28 Nov 2013, at 12:42 pm, William Chan (陈智昌) <willchan@chromium.org> wrote:

> What do "adequately address pervasive monitoring in HTTP/2.0"

Well, that's the fun part. Since there isn't specific guidance in this draft, we'll need to come up with the details ourselves. 

So far, our discussion has encompassed mandatory HTTPS (which has been controversial, but also seems likely to be in some of the first implementations of HTTP/2.0) and opportunistic encryption (which seems to have decent support in principle, but there also seems to be some reluctance to implement, if I read the tea leaves correctly). Either of those would probably "adequately address" if we wrote them into HTTP/2.0.

Alternatively, it may be that we don't address pervasive monitoring in the core HTTP/2.0 document itself, since HTTP is used in a such a wide variety of ways, but instead "adequately address" in a companion document. One proposal that might have merit is shipping a "HTTP/2.0 for Web Browsing" document and addressing pervasive monitoring there.

My biggest concern at this point is the schedule; we don't have the luxury of a drawn-out two year debate on how to do this.


> and "we'll very likely get knocked back for it" mean?

It means the IESG would send the documents back to us for further work when we go to Last Call.

Cheers,


> 
> 
> On Wed, Nov 27, 2013 at 4:08 PM, Mark Nottingham <mnot@mnot.net> wrote:
> FYI. If this gains IETF consensus (and every indication is that it will), it will impact our work, in that if we don't adequately address pervasive monitoring in HTTP/2.0, we'll very likely get knocked back for it.
> 
> If you have input, please send it to ietf@ietf.org or perpass@ietf.org.
> 
> Cheers,
> 
> P.S. The link is: <http://tools.ietf.org/html/draft-farrell-perpass-attack-00>
> 
> 
> Begin forwarded message:
> 
> > From: IAB Chair <iab-chair@iab.org>
> > Subject: IAB statement on draft-farrell-perpass-attack-00
> > Date: 28 November 2013 3:13:02 am AEDT
> > To: IETF Announce <ietf-announce@ietf.org>
> > Cc: IETF <ietf@ietf.org>
> > Reply-To: IETF <ietf@ietf.org>
> >
> > At the Vancouver IETF meeting, the IAB held a technical plenary that discussed pervasive monitoring.  The IAB believes that pervasive monitoring represents an attack on the Internet in as much as large amounts of information that is intended to be confidential between sets of individuals is in fact gathered and aggregated by third parties.  Such a broad scale attack can undermine confidence in the infrastructure, no matter the intent of those collecting the information.
> >
> > draft-farrell-perpass-attack-00 is intended to establish an IETF community consensus on this matter.  We encourage the community to read and engage in discussion about this draft, and also to take practical measures to limit pervasive monitoring within their environments.
> >
> > On behalf of the IAB,
> >  Russ Housley
> >  IAB Chair
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Thursday, 28 November 2013 02:02:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC