There seem to be two groups of users causing the discussion. One set are folks who use scripts that will be discommoded if we drop FTP access. That is a concern. But a somewhat manageable one. And one where we havve to at some point be able to say "no, we do not supporting things forever".
I don't think anyone is saying "forever", just "not now". indeed, given that some of the people making this argument are the same people who believe a total transition to IPV6 is going to happen - a transition ftp will not survive - it's pretty obvious this isn't the case.
The other argument is that there exist a set of people who will be unable to practically get the documents if we drop the FTP access.
I was relieved to learn that rsync does not require crypto, so there's at least one other non-crypto option the IETF still supports. OTOH, the set of capabilities rsync provides is quite different and much more limited, so this is not sufficient cause for me to change my position on ftp.
If true, that is important. But we do not appear to ahve any way to evaluate the statement as other than a hypothetical. We know such people could exist. But do we know if they do exist?
And now not only are you asking for information about current conditions we do not have, you're also asking us to predict the future. What we do know is that our track record in regards to anticipating unintended consequences is incredibly poor. In this regard, there has already been discussion of the downsides to dropping HTTP support entirely; I see no reason to elaborate further on that. But if you want a crypto-specific example, you need look no further than how we're unintentionally introduced widespread non-repudiation into our email infrastructure. More specifically, we developed DKIM/DMARC as an anti-phishing measure for commerical email. It was never intedned to be used for personal email, but Yahoo deployed it in the personal email space and others have followed suit on a massive scale. As a result a significant and growing percentage of email is now signed, to the point where privacy experts are calling for DKIM key release after rotation to at least partially mitigate the damage we have done. For me the bottom line is this is a very small cost that at at minimum provides insurance against some really bad outcomes.
It seems to me that arguing for keeping the service because people in the second category may exist is a very weak argument.
Right back atcha, Joel. Ned
