+100 On Aug 26, 2011, at 6:50 AM, Scott Schmit wrote: > On Fri, Aug 26, 2011 at 09:18:41AM +0200, t.petch wrote: >> Why does the IETF website consider it necessary to use TLS to access >> the mailing list archives, when they all appeared without it, or any >> other security, in the first place? > > TLS provides more than confidentiality--it also provides authenticity. > If I were living in a hostile regime, I'd appreciate knowing that the > RFCs, etc that I'm getting really come from the IETF unmodified. > > Also, as a general principle, I'd rather someone not be able to read > over my shoulder, even if it is harmless stuff. Using encryption only > when I need it makes all of my encrypted traffic less secure. > > For example, if I were out to modify the traffic you read to make sure > that you didn't even know that a working group existed, I'd have a lot > easier time of it if you use DNS without DNSSEC, HTTP without TLS, TLS > without HASTLS, DANE, HSTS, etc. Now, not all of that is completed > protocol work, but one step at a time. > >> Besides all the usual hassle of TLS, today the certificate is reported >> by IE as expired, which sort of sums it up. > > Mistakes happen. Hopefully lessons are learned so that they don't get > repeated. > > If it's a protocol problem, whose fault is that but ours? > > -- > Scott Schmit > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf
<<attachment: smime.p7s>>
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf