Re: PRISM and HTTP/2.0 from Stephen Farrell on 2013-07-13 (ietf-http-wg@w3.org from July to September 2013)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Sat, 13 Jul 2013 11:47:25 +0100
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <73FAE29B-76F5-4F69-B6C5-77DB653C0F2E@cs.tcd.ie>

On 13 Jul 2013, at 11:08, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:

> 
> I would like to advocate that everybody spends a little bit of time
> reconsidering how we design protocols after the PRISM disclosures.
> 
> We don't need to have a long discussion about the actual legality
> of the US spy operation, the sheer scale and the kind of efforts
> that went in to it is the relevant message to us.
> 
> The take-home message is that encryption will be broken, disabled,
> circumvented og watered down, if it gets in the way of political
> objectives.
> 
> We can do three things in light of this:
> 
> 1) We can try to add more encryption to fight back.

Sounds good. We probably need better implementation and more deployment as well.

> 
> 2) We can recognize that there needs to be hooks for duly authorized access.

That's not for this WG IMO. RFC 2804 is a BCP that says that.

> 
> 3) We can change or at least influence the political objectives

Not for the IETF IMO.

S


> 
> I think PRISM is ample evidence that #1 will have the 100% certain
> result is that all encryption will be circumvented, with bogus CA
> certs all the way up to PRISM and designed-in backdoors, and the
> net result is less or even no privacy for anybody everywhere.
> 
> In my view, that would be very counterproductive.
> 
> #2 is not without challenges, but at least there are plausible paths
> from there to a state of affairs where innocent people might still
> have access to private communications, and it might seem to be a
> necessary precondition for any hope on #3
> 
> #3 is clearly not inside HTTPbis scope, but it may be time for
> all good nerds to come to the aid of their country and humanity.
> 
> A "market based" argument can be made under #3, that if we design
> protocols with the necessary access (#2), programs like PRISM will
> not be cost effective, but that will take some serious effort
> of education and politics.
> 
> Anyway:  Edward Snowden has moved the rug under the HTTP/2.0
> standardization process, and we should not ignore that.
> 
> Think about it.
> 
> -- 
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>

Received on Saturday, 13 July 2013 10:48:03 UTC