Roy Fielding on TLS:
https://www.ietf.org/mail-archive/web/ietf/current/msg93416.html
Found at http://sn.1w6.org/notice/121581
Provocative, not sure what to make of it yet.
TLS does not provide privacy. What it does is disable anonymous access to ensure authority. It changes access patterns away from decentralized caching to more centralized authority control. That is the opposite of privacy. TLS is desirable for access to account-based services wherein anonymity is not a concern (and usually not even allowed). TLS is NOT desirable for access to public information, except in that it provides an ephemeral form of message integrity that is a weak replacement for content integrity. If the IETF wants to improve privacy, it should work on protocols that provide anonymous access to signed artifacts (authentication of the content, not the connection) that is independent of the user's access mechanism. I have no objection to the IESG proposal to provide information *also* via https. It would be better to provide content signatures and encourage mirroring, just to be a good example, but I don't expect eggs to show up before chickens. However, I agree with Tony's assessment: most of the text is nothing more than a pompous political statement, much like the sham of "consensus" that was contrived at the Vancouver IETF. TLS everywhere is great for large companies with a financial stake in Internet centralization. It is even better for those providing identity services and TLS-outsourcing via CDNs. It's a shame that the IETF has been abused in this way to promote a campaign that will effectively end anonymous access, under the guise of promoting privacy.
https://www.ietf.org/mail-archive/web/ietf/current/msg93416.html
Found at http://sn.1w6.org/notice/121581
Provocative, not sure what to make of it yet.
David "Judah's Shadow" Blue, jasonriedy@fmrl.me, Claes Wallin (韋嘉誠), Christopher Allan Webber and 2 others likes this.
uıɐɾ ʞ ʇɐɯɐs, Olivier Mehani, Kevin Everets, Claes Wallin (韋嘉誠) and 7 others shared this.
Show all 7 replies
@clacke Every VPS provider I've ever used required a lot more info than CertAuthorities do, though most don't do any verification.
Yeah, that's probably true for most VPS providers. Just trying to tease out some scenario that might explain what he means.
"Not sure what to make of it yet": amen. I don't mean this as a brush off. I find it appealing enough that I want to understand it better.