W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Mon, 7 Dec 2015 00:07:55 +0000
To: Adrien de Croy <adrien@qbik.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Jacob Appelbaum <jacob@appelbaum.net>, Mark Nottingham <mnot@mnot.net>, Cory Benfield <cory@lukasa.co.uk>, Mike Belshe <mike@belshe.com>, Amos Jeffries <squid3@treenet.co.nz>, httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <5664CDDB.4070108@cs.tcd.ie>


On 06/12/15 23:50, Adrien de Croy wrote:
> 
> "Consensus"
> 
> It seems odd to me that "consensus" can be reached on things without
> even the knowledge of others.  I don't recall seeing anything about
> BCP188 on this list, so the "consensus" I would have to assume is a
> limited one, which hardly seems worth the claim.

Please look at the ~1000 messages in the ietf@ietf.org archive on
the topic of that draft. Please consider the (video or whatever
form of reporting you prefer of the) technical plenary at IETF-88
with about 1000 people in the room who also expressed that same
consensus. (Albeit less precisely, which was the point of getting
the RFC done.)

httpbis is one of about 100+ IETF WGs. I fully understand that for
many folks it is entirely reasonable that this one WG is the limit of
their involvement in the IETF. But this isn't anywhere near the
entire IETF. Anyone who wants to is of course welcome to engage more
broadly but claims that there is a problem if something wasn't
discussed on one of the many many wg or non-wg lists aren't really
convincing.

> 
> And you wrote it yourself last year.

I am a co-author yes. Or editor really.

Claims that BCP188 hasn't been exposed to significant and broadly
based scrutiny from many IETF participants are... wrong. ("Wrong"
wasn't the first word I typed:-)

S.

PS: I didn't check back but I think I recall mnot sending a link here
at one point asking folks to pay attention.



> 
> So that particular reference seems a bit self-serving.
> 
> And as far as I'm concerned, we don't really achieve true consensus on
> much.  Witness more recently the DNSOP .onion spec which requires
> building a time-machine to comply with.   The IETF is bigger than DNSOP
> or HTTPBis, so to claim "xx represents the consensus of the IETF
> community" is dubious at best.
> 
> And it is a u-turn on previous long-standing IETF "consensus" which is
> that we should not take a partisan stance.
> 
> Problem with taking a partisan stance is that when those with the actual
> power of states (e.g. legislature, judiciary, police etc) decide what we
> are doing is illegal, we create problems for our customers.  History is
> full of governments just doing what they want, look how Blackberry was
> blocked in India.  Do we really have the moral right to put users of
> products using our designed protocols at odds with the laws of their
> country "for their own good"?  Seems a bit irresponsible and callous to me.
> 
> The neutral stance I could live with, but we should not be taking a
> partisan stance, nor trying to state that the IETF thinks monitoring is
> "an attack" which is a highly loaded and pejorative term although I note
> that you attempt to address this in section 1, I don't think that
> message will make it across.
> 
> There seems to be a bit of a reality disconnect when denying any
> potential legitimacy to rights which are currently exercised by almost
> every state.  I wonder what the US state dept and many other government
> agencies around the world would think of BCP188 or what this WG is doing
> here.
> 
> 
> 
> ------ Original Message ------
> From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
> To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
> Cc: "Jacob Appelbaum" <jacob@appelbaum.net>; "Mark Nottingham"
> <mnot@mnot.net>; "Cory Benfield" <cory@lukasa.co.uk>; "Adrien de Croy"
> <adrien@qbik.com>; "Mike Belshe" <mike@belshe.com>; "Amos Jeffries"
> <squid3@treenet.co.nz>; "httpbis mailing list" <ietf-http-wg@w3.org>
> Sent: 7/12/2015 6:35:45 a.m.
> Subject: Re: SSL/TLS everywhere fail
> 
>>
>> On 06/12/15 16:58, Poul-Henning Kamp wrote:
>>>  Consequently the Danvers Doctrine is an unconditional declaration
>>>  of war, against any kind of legal communication intercept, and
>>>  therefore it will never be able to collect the signature of a
>>>  single minister of justice, nor get endorsed by any legislature.
>>
>> Such risible rhetoric is frankly puzzling. I've no idea why
>> you think that kind of near-gibberish is useful to this wg.
>> (By gibberish I specifically mean your odd concept of having
>> some selection of the world's ministers for justice or
>> legislatures endorse an RFC.)
>>
>> If, as seems to be the case, you have problems with the IETF
>> consensus on how to deal with security and privacy then you
>> should write an I-D and see if that garners consensus. I guess
>> you do know that this is not the right mailing list for that,
>> ietf@ietf.org would be the place to start, not here.
>>
>> S.
> 
> 
> 
Received on Monday, 7 December 2015 00:08:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC