- From: Adrien W. de Croy <adrien@qbik.com>
- Date: Tue, 03 Apr 2012 01:55:46 +0000
- To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Robert Collins" <robertc@squid-cache.org>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
------ Original Message ------ From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> > > >On 04/03/2012 12:22 AM, Robert Collins wrote: >>This seems rather timely: >> >>http://www.telegraph.co.uk/technology/news/9179087/Internet-activity-to-be-monitored-under-new-laws.html >> > >And not timely but relevant: > >http://tools.ietf.org/html/rfc2804 OK, thanks for pointing that out. We are at a slightly different juncture than we were in 2000. It seems to me, the issue of mandatory SSL is far from put to rest. In relation to RFC2804, it's one thing to take a position of not taking a position, which is fine and completely reasonable. It's another to promote a protocol that explicitly goes against the wishes of governments, and therefore creates problems for implementors, potentially criminalises users and implementors. Thats doesn't equate to not taking a position. Even if we put wiretapping issues aside, there are plenty of other reasons why it's IMO unfeasible to make SSL/TLS mandatory, and these relate mainly to administrative, security, and infrastructural issues. We simply are not at a place where deployment of SSL certificates beyond the realms of technically proficient operators is feasible to support. We don't have a viable deployable alternative to certificates. Shared-secret is not viable for the web at large. We are also not at a place where we've solved the issues relating to certificate verification. OCSP servers are a highly central point of failure (with enormous consequences) and go down. We didn't even touch on deployability of TLS/SSL into tiny footprints, or the non-zero costs in terms of latency and CPU / RAM at various points in the network. Arguments about users right for privacy are political arguments, and fall afoul of RFC 2804 on the other side. Corporates also have a right and an increasing requirement to know what their resources are being used for. This requirement is getting stronger not weaker, as countries around the world roll out laws around internet copyright abuse. For instance in NZ, there's a 3 strike system now, with large fines etc. Companies need to be able to protect themselves from liability for their users' actions. I don't really have much more on the topic of mandatory-to-use SSL. In the end, if that's where the specs go, we are just escalating the arms race, which simply incurs cost on the users of these protocols, for which history may not thank us. We'll just have all the pain of everyone having to deploy SSL, and we'll get MITM as well. Cheers Adrien > >S > >>-Rob >> >> >
Received on Tuesday, 3 April 2012 01:56:23 UTC