On Nov 6, 2013, at 6:23 PM, Dave Crocker <dhc@xxxxxxxxxxxx> wrote: > > Here's what I suggest: A single, simple, conceptual question that supplies all of the 'guidance' we can legitimately offer, at this stage: > > The IETF needs to press for careful attention to privacy > concerns in its work, including protection against surveillance. > > [ ] No > [ ] Yes > [ ] Don't Yet Know > [ ] Don't Care > Worded like that? I choose "Yes". But this has a similar issue to the questions asked in the plenary. It's similar to the questions "do you want to eliminate crime?", "should your government have a balanced budget?", "are NATs bad?". Unless you're in the "get over it" camp on privacy, of course you're going to vote "Yes". When such attention comes to specific work items, we get tradeoffs against performance and against ease of deployment. Saying that HTTP/2 will only work with server authentication (as has been suggested) means that you won't be able to just turn on a switch and get the better page-load times of HTTP/2. You would need to get a certificate first, and if your site required a 3-server cluster, you would need to either add several more nodes to the cluster or buy an SSL accelerator box. That's the kind of of trade-off we have to think about when we advocate mandatory-to-use. Yoav