- From: Daniel Austin <daniel_b_austin@yahoo.com>
- Date: Fri, 14 Nov 2014 07:45:53 -0800
- To: Web Payments <public-webpayments@w3.org>
- Message-Id: <1D6C7ADA-BC2E-4696-B7BE-8D211CBE96F9@yahoo.com>
Some notes for our friends at the IAB (via the IETF). R, D- Sent from my iPhone Begin forwarded message: > Resent-From: ietf-http-wg@w3.org > From: Mark Nottingham <mnot@mnot.net> > Date: November 14, 2014 at 4:01:50 AM PST > To: HTTP <ietf-http-wg@w3.org> > Subject: Fwd: IAB Statement on Internet Confidentiality > > Everyone, > > Please have a read through this carefully. Not only does it have potential impact upon future work — including any standards work around proxies — but it also may weigh on our current work (HTTP/2) when we take it to IETF Last Call. > > Regards, > > >> Begin forwarded message: >> >> From: IAB Chair <iab-chair@iab.org> >> Subject: IAB Statement on Internet Confidentiality >> Date: 13 November 2014 11:26:02 pm GMT-10 >> To: IETF Announce <ietf-announce@ietf.org> >> Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-announce/ObCNmWcsFPNTIdMX5fmbuJoKFR8 >> Cc: IAB <iab@iab.org>, IETF <ietf@ietf.org> >> Reply-To: ietf@ietf.org >> >> Please find this statement issued by the IAB today. >> >> On behalf of the IAB, >> Russ Housley >> IAB Chair >> >> = = = = = = = = = = = = = >> >> IAB Statement on Internet Confidentiality >> >> In 1996, the IAB and IESG recognized that the growth of the Internet >> depended on users having confidence that the network would protect >> their private information. RFC 1984 documented this need. Since that >> time, we have seen evidence that the capabilities and activities of >> attackers are greater and more pervasive than previously known. The IAB >> now believes it is important for protocol designers, developers, and >> operators to make encryption the norm for Internet traffic. Encryption >> should be authenticated where possible, but even protocols providing >> confidentiality without authentication are useful in the face of >> pervasive surveillance as described in RFC 7258. >> >> Newly designed protocols should prefer encryption to cleartext operation. >> There may be exceptions to this default, but it is important to recognize >> that protocols do not operate in isolation. Information leaked by one >> protocol can be made part of a more substantial body of information >> by cross-correlation of traffic observation. There are protocols which >> may as a result require encryption on the Internet even when it would >> not be a requirement for that protocol operating in isolation. >> >> We recommend that encryption be deployed throughout the protocol stack >> since there is not a single place within the stack where all kinds of >> communication can be protected. >> >> The IAB urges protocol designers to design for confidential operation by >> default. We strongly encourage developers to include encryption in their >> implementations, and to make them encrypted by default. We similarly >> encourage network and service operators to deploy encryption where it is >> not yet deployed, and we urge firewall policy administrators to permit >> encrypted traffic. >> >> We believe that each of these changes will help restore the trust users >> must have in the Internet. We acknowledge that this will take time and >> trouble, though we believe recent successes in content delivery networks, >> messaging, and Internet application deployments demonstrate the >> feasibility of this migration. We also acknowledge that many network >> operations activities today, from traffic management and intrusion >> detection to spam prevention and policy enforcement, assume access to >> cleartext payload. For many of these activities there are no solutions >> yet, but the IAB will work with those affected to foster development of >> new approaches for these activities which allow us to move to an Internet >> where traffic is confidential by default. > > -- > Mark Nottingham http://www.mnot.net/ > > > >
Received on Friday, 14 November 2014 15:46:23 UTC