W3C home > Mailing lists > Public > public-webpayments@w3.org > November 2014

Fwd: IAB Statement on Internet Confidentiality

From: Daniel Austin <daniel_b_austin@yahoo.com>
Date: Fri, 14 Nov 2014 07:45:53 -0800
Message-Id: <1D6C7ADA-BC2E-4696-B7BE-8D211CBE96F9@yahoo.com>
To: Web Payments <public-webpayments@w3.org>
Some notes for our friends at the IAB (via the IETF).

R,
D-

Sent from my iPhone

Begin forwarded message:

> Resent-From: ietf-http-wg@w3.org
> From: Mark Nottingham <mnot@mnot.net>
> Date: November 14, 2014 at 4:01:50 AM PST
> To: HTTP <ietf-http-wg@w3.org>
> Subject: Fwd: IAB Statement on Internet Confidentiality
> 
> Everyone,
> 
> Please have a read through this carefully. Not only does it have potential impact upon future work — including any standards work around proxies — but it also may weigh on our current work (HTTP/2) when we take it to IETF Last Call.
> 
> Regards,
> 
> 
>> Begin forwarded message:
>> 
>> From: IAB Chair <iab-chair@iab.org>
>> Subject: IAB Statement on Internet Confidentiality
>> Date: 13 November 2014 11:26:02 pm GMT-10
>> To: IETF Announce <ietf-announce@ietf.org>
>> Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-announce/ObCNmWcsFPNTIdMX5fmbuJoKFR8
>> Cc: IAB <iab@iab.org>, IETF <ietf@ietf.org>
>> Reply-To: ietf@ietf.org
>> 
>> Please find this statement issued by the IAB today.
>> 
>> On behalf of the IAB,
>> Russ Housley
>> IAB Chair
>> 
>> = = = = = = = = = = = = =
>> 
>> IAB Statement on Internet Confidentiality
>> 
>> In 1996, the IAB and IESG recognized that the growth of the Internet
>> depended on users having confidence that the network would protect
>> their private information.  RFC 1984 documented this need.  Since that
>> time, we have seen evidence that the capabilities and activities of
>> attackers are greater and more pervasive than previously known.  The IAB
>> now believes it is important for protocol designers, developers, and
>> operators to make encryption the norm for Internet traffic.  Encryption
>> should be authenticated where possible, but even protocols providing
>> confidentiality without authentication are useful in the face of
>> pervasive surveillance as described in RFC 7258.
>> 
>> Newly designed protocols should prefer encryption to cleartext operation.
>> There may be exceptions to this default, but it is important to recognize
>> that protocols do not operate in isolation.  Information leaked by one
>> protocol can be made part of a more substantial body of information
>> by cross-correlation of traffic observation.  There are protocols which
>> may as a result require encryption on the Internet even when it would
>> not be a requirement for that protocol operating in isolation.
>> 
>> We recommend that encryption be deployed throughout the protocol stack
>> since there is not a single place within the stack where all kinds of
>> communication can be protected.
>> 
>> The IAB urges protocol designers to design for confidential operation by
>> default.  We strongly encourage developers to include encryption in their
>> implementations, and to make them encrypted by default.  We similarly
>> encourage network and service operators to deploy encryption where it is
>> not yet deployed, and we urge firewall policy administrators to permit
>> encrypted traffic.
>> 
>> We believe that each of these changes will help restore the trust users
>> must have in the Internet.  We acknowledge that this will take time and
>> trouble, though we believe recent successes in content delivery networks,
>> messaging, and Internet application deployments demonstrate the
>> feasibility of this migration.  We also acknowledge that many network
>> operations activities today, from traffic management and intrusion
>> detection to spam prevention and policy enforcement, assume access to
>> cleartext payload.  For many of these activities there are no solutions
>> yet, but the IAB will work with those affected to foster development of
>> new approaches for these activities which allow us to move to an Internet
>> where traffic is confidential by default.
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 

Received on Friday, 14 November 2014 15:46:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:37 UTC