W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: PRISM and HTTP/2.0

From: Mike Belshe <mike@belshe.com>
Date: Sat, 13 Jul 2013 11:43:26 -0700
Message-ID: <CABaLYCtKGa8yyYLpun=LGaxjFoWvFYdK_TMqfAE-5Yw+ch7nAg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, HTTP Working Group <ietf-http-wg@w3.org>
Or we can put up an anonymous auction to all governments, and let the
highest bidder win the keys to HTTP/2.0.

Mike



On Sat, Jul 13, 2013 at 3:47 AM, Stephen Farrell
<stephen.farrell@cs.tcd.ie>wrote:

>
>
> On 13 Jul 2013, at 11:08, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
>
> >
> > I would like to advocate that everybody spends a little bit of time
> > reconsidering how we design protocols after the PRISM disclosures.
> >
> > We don't need to have a long discussion about the actual legality
> > of the US spy operation, the sheer scale and the kind of efforts
> > that went in to it is the relevant message to us.
> >
> > The take-home message is that encryption will be broken, disabled,
> > circumvented og watered down, if it gets in the way of political
> > objectives.
> >
> > We can do three things in light of this:
> >
> > 1) We can try to add more encryption to fight back.
>
> Sounds good. We probably need better implementation and more deployment as
> well.
>
> >
> > 2) We can recognize that there needs to be hooks for duly authorized
> access.
>
> That's not for this WG IMO. RFC 2804 is a BCP that says that.
>
> >
> > 3) We can change or at least influence the political objectives
>
> Not for the IETF IMO.
>
> S
>
>
> >
> > I think PRISM is ample evidence that #1 will have the 100% certain
> > result is that all encryption will be circumvented, with bogus CA
> > certs all the way up to PRISM and designed-in backdoors, and the
> > net result is less or even no privacy for anybody everywhere.
> >
> > In my view, that would be very counterproductive.
> >
> > #2 is not without challenges, but at least there are plausible paths
> > from there to a state of affairs where innocent people might still
> > have access to private communications, and it might seem to be a
> > necessary precondition for any hope on #3
> >
> > #3 is clearly not inside HTTPbis scope, but it may be time for
> > all good nerds to come to the aid of their country and humanity.
> >
> > A "market based" argument can be made under #3, that if we design
> > protocols with the necessary access (#2), programs like PRISM will
> > not be cost effective, but that will take some serious effort
> > of education and politics.
> >
> > Anyway:  Edward Snowden has moved the rug under the HTTP/2.0
> > standardization process, and we should not ignore that.
> >
> > Think about it.
> >
> > --
> > Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> > phk@FreeBSD.ORG         | TCP/IP since RFC 956
> > FreeBSD committer       | BSD since 4.3-tahoe
> > Never attribute to malice what can adequately be explained by
> incompetence.
> >
>
>
Received on Saturday, 13 July 2013 18:43:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC