----- Original Message ----- From: "Tim Bray" <tbray@xxxxxxxxxxxxxx> To: <ned+ietf@xxxxxxxxxxxxxxxxx> Cc: "IETF-Discussion Discussion" <ietf@xxxxxxxx> Sent: Wednesday, November 06, 2013 2:35 AM I disagree. I can’t think of an scenario in which a human who wants/needs to use IETF publications would not have access to an HTTPS-capable user agent. -T <tp> I want access to IETF publications in order to contribute to the standards process and I have access to a very fine, HTTPS-capable user agent (supplied by Microsoft). It works with almost every web site in the world, but not with the IETF's. For any https:// link, the initial html is downloaded, the CRL is downloaded and ..... zilch, nothing, a blank screen and a little globe that spins for hours. Quite what is wrong with the IETF certificate chain's CRL I do not know, but I do know that the IETF website is inaccessible with HTTPS. Of course, I can turn off CRL checking and it works perfectly. Which I think is a good summary of where we have got to with security (and no, OCSP is not out there yet). This thread started with a design and, as other messages on this thread have pointed out, it would seem that that design, https, is largely irrelevant to the actual requirement, namely authentication; but the IETF has designed a very fine hammer, namely https, so let's get to work with the hammer:-( Tom Petch On Tue, Nov 5, 2013 at 6:21 PM, <ned+ietf@xxxxxxxxxxxxxxxxx> wrote: > > > I don't see reason to use https for delivery of public documents such > > as RFCs and Internet Drafts. All that would really accomplish is > > reduce caching opportunities. > > I don't have any problem with making things available via https, but it > needs > to be possible to retrieve things with regular http. Not everything gets > retrieved by a browser and not every tool out there supports https. > > Ned