- From: Roberto Peon <grmocg@gmail.com>
- Date: Mon, 18 Nov 2013 09:09:45 -0800
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAP+FsNfW8Y5WLdLGRiBNAjgyb5SVvjPaDsUYuJ_-0RbFQN7PAw@mail.gmail.com>
I wanted to focus on what we all agree upon for a moment. I'll note that I am not debating the goodness or badness of encryption, so please don't bring this into the thread-- I am completely aware that the definition of "the right thing" to do varies depending on the party wishing to define it, the particular user, site, or legislative jurisdiction, etc. So... I'm hoping for this thread to affirm or debate the following things: a) we cannot effectively impose changes on already deployed infrastructure or content b) we have the ability to create and define opt-in or opt-out mechanisms for encryption c) non-encrypted plaintext on port 80 is reliable today when only it is a particular subset of http/1.1 d) the definition of "the right thing" to do with respect to using or not using encryption varies depending on the party wishing to define it, the particular user, site, or legislative jurisdiction, etc. e) there is pervasive monitoring today, and that some of this monitoring includes entities with malicious intent (i.e. criminals). f) users do care about privacy to the extent that they want to choose what should be public and that they don't want their lives damaged or destroyed as a result of legal online activity (i.e. don't want their identity or assets stolen) g) sites do care about privacy: at a base minimum they want to retain the trust of their users h) users don't have the technical depth to understand what is necessary to achieve privacy, let alone security i) educating and communicating about technical issues that can potentially affect users is extremely difficult and would take significant time, if possible at all -=R
Received on Monday, 18 November 2013 17:10:13 UTC