W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2015

Re: SSL/TLS everywhere fail

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 07 Dec 2015 00:15:04 +0000
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Poul-Henning Kamp" <phk@phk.freebsd.dk>
Cc: "Jacob Appelbaum" <jacob@appelbaum.net>, "Mark Nottingham" <mnot@mnot.net>, "Cory Benfield" <cory@lukasa.co.uk>, "Mike Belshe" <mike@belshe.com>, "Amos Jeffries" <squid3@treenet.co.nz>, "httpbis mailing list" <ietf-http-wg@w3.org>
Message-Id: <em4abeb035-809b-488c-97f6-18b419a0d0a6@bodybag>


------ Original Message ------
From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
To: "Adrien de Croy" <adrien@qbik.com>; "Poul-Henning Kamp" 
<phk@phk.freebsd.dk>
Cc: "Jacob Appelbaum" <jacob@appelbaum.net>; "Mark Nottingham" 
<mnot@mnot.net>; "Cory Benfield" <cory@lukasa.co.uk>; "Mike Belshe" 
<mike@belshe.com>; "Amos Jeffries" <squid3@treenet.co.nz>; "httpbis 
mailing list" <ietf-http-wg@w3.org>
Sent: 7/12/2015 1:07:55 p.m.
Subject: Re: SSL/TLS everywhere fail

>
>
>On 06/12/15 23:50, Adrien de Croy wrote:
>>
>>  "Consensus"
>>
>>  It seems odd to me that "consensus" can be reached on things without
>>  even the knowledge of others.  I don't recall seeing anything about
>>  BCP188 on this list, so the "consensus" I would have to assume is a
>>  limited one, which hardly seems worth the claim.
>
>Please look at the ~1000 messages in the ietf@ietf.org archive on
>the topic of that draft. Please consider the (video or whatever
>form of reporting you prefer of the) technical plenary at IETF-88
>with about 1000 people in the room who also expressed that same
>consensus. (Albeit less precisely, which was the point of getting
>the RFC done.)
>
>httpbis is one of about 100+ IETF WGs.
exactly my point.

I'm not saying there's an easy solution, but if you consider that one of 
the most monitored protocols is http, you'd think there would be more 
involvement of this WG for such a BCP, especially considering the extent 
to which we are affected by it.

Maybe there needs to be some more design thought put into how wider 
consensus of affected parties can be achieved, so that those who like 
you say aren't on a plethora of lists can still consider that the 
strength of the consensus is maintained, because AFAIC the whole purpose 
of the IETF is to attain consensus on things and represent the view of 
the community.


>I fully understand that for
>many folks it is entirely reasonable that this one WG is the limit of
>their involvement in the IETF. But this isn't anywhere near the
>entire IETF. Anyone who wants to is of course welcome to engage more
>broadly but claims that there is a problem if something wasn't
>discussed on one of the many many wg or non-wg lists aren't really
>convincing.
>
>>
>>  And you wrote it yourself last year.
>
>I am a co-author yes. Or editor really.
>
>Claims that BCP188 hasn't been exposed to significant and broadly
>based scrutiny from many IETF participants are... wrong. ("Wrong"
>wasn't the first word I typed:-)
>
>S.
>
>PS: I didn't check back but I think I recall mnot sending a link here
>at one point asking folks to pay attention.
>
>
>
>>
>>  So that particular reference seems a bit self-serving.
>>
>>  And as far as I'm concerned, we don't really achieve true consensus 
>>on
>>  much.  Witness more recently the DNSOP .onion spec which requires
>>  building a time-machine to comply with.   The IETF is bigger than 
>>DNSOP
>>  or HTTPBis, so to claim "xx represents the consensus of the IETF
>>  community" is dubious at best.
>>
>>  And it is a u-turn on previous long-standing IETF "consensus" which 
>>is
>>  that we should not take a partisan stance.
>>
>>  Problem with taking a partisan stance is that when those with the 
>>actual
>>  power of states (e.g. legislature, judiciary, police etc) decide what 
>>we
>>  are doing is illegal, we create problems for our customers.  History 
>>is
>>  full of governments just doing what they want, look how Blackberry 
>>was
>>  blocked in India.  Do we really have the moral right to put users of
>>  products using our designed protocols at odds with the laws of their
>>  country "for their own good"?  Seems a bit irresponsible and callous 
>>to me.
>>
>>  The neutral stance I could live with, but we should not be taking a
>>  partisan stance, nor trying to state that the IETF thinks monitoring 
>>is
>>  "an attack" which is a highly loaded and pejorative term although I 
>>note
>>  that you attempt to address this in section 1, I don't think that
>>  message will make it across.
>>
>>  There seems to be a bit of a reality disconnect when denying any
>>  potential legitimacy to rights which are currently exercised by 
>>almost
>>  every state.  I wonder what the US state dept and many other 
>>government
>>  agencies around the world would think of BCP188 or what this WG is 
>>doing
>>  here.
>>
>>
>>
>>  ------ Original Message ------
>>  From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
>>  To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
>>  Cc: "Jacob Appelbaum" <jacob@appelbaum.net>; "Mark Nottingham"
>>  <mnot@mnot.net>; "Cory Benfield" <cory@lukasa.co.uk>; "Adrien de 
>>Croy"
>>  <adrien@qbik.com>; "Mike Belshe" <mike@belshe.com>; "Amos Jeffries"
>>  <squid3@treenet.co.nz>; "httpbis mailing list" <ietf-http-wg@w3.org>
>>  Sent: 7/12/2015 6:35:45 a.m.
>>  Subject: Re: SSL/TLS everywhere fail
>>
>>>
>>>  On 06/12/15 16:58, Poul-Henning Kamp wrote:
>>>>   Consequently the Danvers Doctrine is an unconditional declaration
>>>>   of war, against any kind of legal communication intercept, and
>>>>   therefore it will never be able to collect the signature of a
>>>>   single minister of justice, nor get endorsed by any legislature.
>>>
>>>  Such risible rhetoric is frankly puzzling. I've no idea why
>>>  you think that kind of near-gibberish is useful to this wg.
>>>  (By gibberish I specifically mean your odd concept of having
>>>  some selection of the world's ministers for justice or
>>>  legislatures endorse an RFC.)
>>>
>>>  If, as seems to be the case, you have problems with the IETF
>>>  consensus on how to deal with security and privacy then you
>>>  should write an I-D and see if that garners consensus. I guess
>>>  you do know that this is not the right mailing list for that,
>>>  ietf@ietf.org would be the place to start, not here.
>>>
>>>  S.
>>
>>
>>
Received on Monday, 7 December 2015 00:15:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:40 UTC