- From: Mike Belshe <mike@belshe.com>
- Date: Sun, 16 Nov 2014 09:00:42 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP <ietf-http-wg@w3.org>
- Message-ID: <CABaLYCtWcseytgGBTJTi2UiBg9Ht5r1sPt48VzGkJLyhcwq2EQ@mail.gmail.com>
Hey Mark - This is fantastic. Thanks for all you've done to make this happen. Its about time! Great! Mike On Fri, Nov 14, 2014 at 4:01 AM, Mark Nottingham <mnot@mnot.net> wrote: > Everyone, > > Please have a read through this carefully. Not only does it have potential > impact upon future work — including any standards work around proxies — but > it also may weigh on our current work (HTTP/2) when we take it to IETF Last > Call. > > Regards, > > > > Begin forwarded message: > > > > From: IAB Chair <iab-chair@iab.org> > > Subject: IAB Statement on Internet Confidentiality > > Date: 13 November 2014 11:26:02 pm GMT-10 > > To: IETF Announce <ietf-announce@ietf.org> > > Archived-At: > http://mailarchive.ietf.org/arch/msg/ietf-announce/ObCNmWcsFPNTIdMX5fmbuJoKFR8 > > Cc: IAB <iab@iab.org>, IETF <ietf@ietf.org> > > Reply-To: ietf@ietf.org > > > > Please find this statement issued by the IAB today. > > > > On behalf of the IAB, > > Russ Housley > > IAB Chair > > > > = = = = = = = = = = = = = > > > > IAB Statement on Internet Confidentiality > > > > In 1996, the IAB and IESG recognized that the growth of the Internet > > depended on users having confidence that the network would protect > > their private information. RFC 1984 documented this need. Since that > > time, we have seen evidence that the capabilities and activities of > > attackers are greater and more pervasive than previously known. The IAB > > now believes it is important for protocol designers, developers, and > > operators to make encryption the norm for Internet traffic. Encryption > > should be authenticated where possible, but even protocols providing > > confidentiality without authentication are useful in the face of > > pervasive surveillance as described in RFC 7258. > > > > Newly designed protocols should prefer encryption to cleartext operation. > > There may be exceptions to this default, but it is important to recognize > > that protocols do not operate in isolation. Information leaked by one > > protocol can be made part of a more substantial body of information > > by cross-correlation of traffic observation. There are protocols which > > may as a result require encryption on the Internet even when it would > > not be a requirement for that protocol operating in isolation. > > > > We recommend that encryption be deployed throughout the protocol stack > > since there is not a single place within the stack where all kinds of > > communication can be protected. > > > > The IAB urges protocol designers to design for confidential operation by > > default. We strongly encourage developers to include encryption in their > > implementations, and to make them encrypted by default. We similarly > > encourage network and service operators to deploy encryption where it is > > not yet deployed, and we urge firewall policy administrators to permit > > encrypted traffic. > > > > We believe that each of these changes will help restore the trust users > > must have in the Internet. We acknowledge that this will take time and > > trouble, though we believe recent successes in content delivery networks, > > messaging, and Internet application deployments demonstrate the > > feasibility of this migration. We also acknowledge that many network > > operations activities today, from traffic management and intrusion > > detection to spam prevention and policy enforcement, assume access to > > cleartext payload. For many of these activities there are no solutions > > yet, but the IAB will work with those affected to foster development of > > new approaches for these activities which allow us to move to an Internet > > where traffic is confidential by default. > > > > -- > Mark Nottingham http://www.mnot.net/ > > > > >
Received on Sunday, 16 November 2014 17:01:09 UTC