------ Original Message ------
From: "Stephane Bortzmeyer" <bortzme...@nic.fr>
To: "Adrien de Croy" <adr...@qbik.com>
Cc: "Shane Kerr" <sh...@time-travellers.org>; "dnsop@ietf.org"
<dnsop@ietf.org>
Sent: 7/05/2016 10:13:37 p.m.
Subject: Re: [DNSOP] Fwd: New Version Notification for
draft-song-dns-wireformat-http-03.txt
On Fri, May 06, 2016 at 07:53:50PM +0000,
Adrien de Croy <adr...@qbik.com> wrote
a message of 39 lines which said:
There's also RFC 2804 which is much more sensible and less likely to
pit engineers against governments.
Our priority is the users, not the governments, I think.
Making citizens criminals in their own country because they use software
which implements protocols designed by us - how does that help them?
It's not clear cut. We don't like surveillance so we make it extremely
costly? A regime can choose to simply block, so the consequences are to
force political conflict, or cause users to lose service. It's quite an
arrogant position to take. We are engineers, or are we political
activists?
RFC 3935,
section 2: "The IETF has found that the process works best when
focused around people, rather than around organizations, companies,
governments or interest groups."
That sounds like a generalization to me.
And RFC 2804 was written a long time ago, when people were still able
to believe that there was little or no surveillance. We now know that
surveillance is *massive* and *persistent*.
And many would argue "necessary".
I wouldn't personally argue that either way, but neither would I argue
that there is not a single case ever where is it necessary and should be
prohibited, because I know there are cases where it's necessary to not
have TLS for http.
OCSP and CRL checking of certs, which if you did over https would create
a circular validation paradox.
Then there's all the traffic which needs to be visible for whatever
purpose, such as:
* phone home traffic from e.g. network infrastructure where it's
necessary for it to be demonstrably benign.
* things like prisoner's web traffic, and other situations where there's
a legal requirement to monitor.
Then you have all the products based on devices which have http stacks
in them but not https (I use some of these, like SIM800 based systems).
Millions upon millions of devices like these should not exist either?
I am a proponent of choice. Making http use TLS everywhere is just
removing choice. We don't have the moral or any other authority to do
that.
Adrien
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
