On Fri, Aug 26, 2011 at 09:18:41AM +0200, t.petch wrote: > Why does the IETF website consider it necessary to use TLS to access > the mailing list archives, when they all appeared without it, or any > other security, in the first place? TLS provides more than confidentiality--it also provides authenticity. If I were living in a hostile regime, I'd appreciate knowing that the RFCs, etc that I'm getting really come from the IETF unmodified. Also, as a general principle, I'd rather someone not be able to read over my shoulder, even if it is harmless stuff. Using encryption only when I need it makes all of my encrypted traffic less secure. For example, if I were out to modify the traffic you read to make sure that you didn't even know that a working group existed, I'd have a lot easier time of it if you use DNS without DNSSEC, HTTP without TLS, TLS without HASTLS, DANE, HSTS, etc. Now, not all of that is completed protocol work, but one step at a time. > Besides all the usual hassle of TLS, today the certificate is reported > by IE as expired, which sort of sums it up. Mistakes happen. Hopefully lessons are learned so that they don't get repeated. If it's a protocol problem, whose fault is that but ours? -- Scott Schmit _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf