W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Cory Benfield <cory@lukasa.co.uk>
Date: Sat, 5 Dec 2015 08:18:59 +0000
Cc: Adrien de Croy <adrien@qbik.com>, Jacob Appelbaum <jacob@appelbaum.net>, Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-Id: <9506ED13-4363-4F75-ADAA-4A9A0FEB343D@lukasa.co.uk>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>

> On 5 Dec 2015, at 00:10, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> Their political choice would then be reduced to:
>   A) Pass traffic, collecting only the "envelope",
> or
>   B) Block all traffic that cannot be inspected.
> Even in Kazakstan B) would be politically suicide, so the result would
> *at worst* be A).
> A) Would have been a *much* better situation than what is now happening.

It’s legitimately unclear to me that this is true. Going into a discussion of whether “just” metadata is better than metadata + data is not something I want to do on this list, but the idea that it’s clear-cut in favour of one side or another is not apparent to me.

>> However, I want to point out that *this working group* has, to my
>> knowledge, never enacted any requirement that could be referred to as
>> mandating, or even particularly encouraging, TLS-everywhere.
> So it wasn't committed to an RFC ?  Big deal.
> I'm sorry, but the cheering was deafening, so don't come now and
> claim that the people in this WG was neutral bystanders not taking
> a position.

Please don’t misrepresent what I said. I said “this WG”, not “members of this WG”. Individuals are not the aggregate. Many individuals in this WG did cheer for TLS-everywhere, sure, but the working group *as a whole* remained neutral on the topic. This was my original point.

>> Given that, as far as I can see what you want from this WG is not to
>> stop specifying that TLS must be used everywhere, but to start
>> specifying that implementations MUST support plaintext versions of all
>> protocols they implement.
> What I've been telling this group, is the exact same thing I have
> been preaching everywhere else:
> If you want to fight for your right to privacy, you shouldn't bring
> a knife to a gunfight, you should get elected to your nearest
> relevant legislature.
> You may be able to enact RFCs, the people you are fighting can
> enact laws, which police, courts and worst case military force
> will back up.
> While you work on the political side, you should certainly *also*
> make sure that we can have "proportional response" in the technical
> battle.
> Doing that, we *might* have a chance of victory[2].
>> If you want to avoid TLS-everywhere being "shoved down" everyone's
>> throat, rather than posting emails that prove how wonderful you are at
>> predicting changes in government policy, you should continue to use your
>> influential voice when new drafts are discussed to ensure that they do
>> not further contribute to the problems you are concerned about.
> You may not know this:  I make my living as a one man company writing
> software.  I have no customers I can bill for IETF work and much
> less can I afford to travel to IETF meetings, even if I wanted to
> in the first place.
> And yet I sit here at midnight, after a workday which started 16
> hours and 800km away, answering your email.
> And by the way:  The HTTP workshop was half of my summer-vacation this year.
> So for the sake of my blood-pressure, I would *really* appreciate
> if you will stop telling me how I should spend my time.

That's is a fair point: I’m sorry, that was not my intention. Had I phrased that paragraph correctly, I would have said that you are more likely to be successful in your goals by continuing to be involved in IETF discussions to the best of your ability and time. Having been involved with this WG for a while now, I’ve seen you successfully use what little time you have to contribute and make your case.

I am sympathetic to your lack of time, because my response to your suggestion that I get elected to the House of Commons is a similar one: I don’t know where I’m expected to get the time. So, like you, I do the best I can: I write to my (useless) MP, I donate money to the Open Rights Group, and I try to vote for candidates that will take a more appropriate position on these issues.

>> What is *not* helping is about 50% of this thread, which consists of
>> grandstanding and empty rhetoric.
> If you consider this "empty rhetoric", then I probably have nothing
> to contribute that you would consider germane.
> I will point out though, that amongst my "empty rhetoric" was an
> attempt to prevent HTTP/2 from just goldplating SPDY:
> 	http://phk.freebsd.dk/words/httpbis.html
> I was told by several people that I didn't even need to bother
> posting that as ID because it was a foregone conclusion that
> HTTP/2 would be based on SPDY.
> Despite that, I also worked with a group of other people to try to
> come up with a protocol draft in the unreasonably short timeslot
> which basically only allowed the SPDY people to make it.
> And finally, I've been trying my damnest to to raise awareness
> in any context I've had the chance, including one of the most
> watched and talked about closing keynotes in FOSDEM history[4]:
> 	 https://www.youtube.com/watch?v=fwcl17Q0bpk
> So yes, I'm full of "empty rhetoric" in an attempt to raise
> the ground-swell we will need if we want to have a chance to
> fight for a right to privacy.

I’m sorry, Poul-Henning, but my recollection is that I said that *this thread* was 50% empty rhetoric. The only comment I made about contributions outside this thread was a set of comments that were *positive* about your work in this working group. I did my level best to avoid attacking anyone in my email. Clearly I failed, for which I’m sorry.

> If you think a well-written ID is a better way, be my guest.

I do. I also think that I can’t write it, because I’m on the other side of the fence. This is why we need your voice.

Received on Saturday, 5 December 2015 08:19:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC