Internet Architecture Board

RFC2850

IAB Minutes 2016-10-12

Home»Documents»Minutes»Minutes 2016»IAB Minutes 2016-10-12

Minutes of the 2016-10-12 IAB Teleconference (Tech Chat & Business Meeting)

1. Roll-call, agenda-bash, administrivia, minutes

1.1. Attendance

Present:
  • Jari Arkko (IETF Chair)
  • Lars Eggert (IRTF Chair)
  • Mat Ford (ISOC Liaison)
  • Joe Hildebrand
  • Russ Housley
  • Lee Howard
  • Ted Hardie
  • Cindy Morgan (IAB Executive Administrative Manager)
  • Erik Nordmark
  • Robert Sparks
  • Dave Thaler
  • Martin Thomson
  • Brian Trammell
  • Amy Vezza (IETF Secretariat)
  • Suzanne Woolf
Regrets:
  • Ralph Droms
  • Heather Flanagan (RFC Editor Liaison)
  • Suresh Krishnan (IESG Liaison)
  • Andrew Sullivan (IAB Chair)
Guests:
  • Corey Gilmore

1.2. Administrivia

Cindy Morgan reminded the IAB to send any changes to the BoF Coordination call minutes to Amy Vezza by the end of this week.

An item on the IETF Protocol Registries Oversight Committee was added to the agenda.

1.3. Meeting Minutes

The minutes of the 28 September 2016 and 5 October 2016 meetings remain under review.

1.4. Action Item Review

The internal action item list was reviewed.

2. Tech Chat: Challenges to HTTPS Adoption in Media Websites

Corey Gilmore, Chief Architect at Penske Media Corporation, joined the IAB to talk about some of the challenges that media websites face when trying to transition to HTTPS.

The major challenges are that media websites have minimal staff to handle the issues, mixed content warnings run rampant, and there are a number of players involved.

Internally, management worries about the cost of SSL certificates and how to allocate staff resources to figure out where the mixed content warnings are coming from, which can lead to a “why bother?” attitude.

Once the switch is flipped and things are forced over HTTPS, there can be a drop in traffic, and it can take weeks or even months to recover. Twitter and Facebook treat canonical URLs differently, which can end up splitting page view counts between HTTP and HTTPS.

Developers run into challenges trying to track down issues from third-parties (e.g., ads, embedded videos). The majority of the mixed content warnings come from advertising, and it is not always clear who to contact to get the problem fixed, or what should be done if there is no fix available. In some cases, the content might be time sensitive, such as with an exclusive video that cannot wait months or weeks for a fix to be made available.

The Internet Advertising Bureau issued a call for advertisers to support HTTPS in March 2015. Some ads are directly sold, but more are programmatic, where agencies swap out content after a campaign has started. For programmatic ads, there may be several different layers to go through before the problem can be found. At the same time, ad agencies are often not as well equipped to handle TLS as the media websites are. Moat, which measures ad viewability, did not support TLS for over a year. Recovering from ad blockers is also an issue, as advertisers only want to pay for ads that are actually seen.

CDNs used to charge for HTTPS. Let’s Encrypt has effectively solved this, but the CDNs need to educate their customers about what is available to them.

Trying to educate people on the differences between HTTP and HTTPS is also a challenge. Even when HTTPS is supported on a site, it may not be clear when a third-party’s default embed code does offer HTTPS; teaching people to look for the HTTPS version of an embed is necessary.

Corey Gilmore noted that media websites track users, and that HTTPS will not stop that. However, they do try to be responsible with the information, as they do not want user identifiers to be stolen.

In summary:

  • Media websites would like to reap the benefits of using HTTPS.
  • Media websites make money through advertising, which is difficult to secure.
  • Media websites that rely on third-party content like embedded video find it challenging to serve reliably over TLS.

Erik Nordmark asked Corey Gilmore what he would like to see move faster. Corey replied that he would like to see CDNs proactively reach out to their customers and force HTTPS everywhere. Browsers still do not always support the CSP header, especially on mobile devices. There needs to be outreach to the content creators. Advertising is broken; it is already difficult enough to keep malicious ads out.

Martin Thomson asked why third-party video providers are not using HTTPS in their embed codes. Corey Gilmore replied that the embed itself is an HTML snippet, which may be different depending on the platform or the player, for no good reason.

The IAB thanked Corey Gilmore for his presentation.

3. Future Tech Plenaries

Brian Trammell reported that work on a technical plenary on Implications of Protocol Design on the Rights of Internet Users for IETF 97 is progressing.

The Plenary Planning Program will discuss potential topics for post-Seoul plenaries at IETF 97.

Cindy Morgan will copy the Plenary Planning Program mailing list on future tech chat invitations.

4. IPv6 Liaison statement

Erik Nordmark asked if there was a single document that references all of the IETF standards around transition technology. Lee Howard said that he would take a look around and see if he could find something. Dave Thaler added that there is an APNIC document, but it only covers a few of the technologies.

Erik Nordmark will send the updated IPv6 statement out to the IAB for review.

5. IAB Schedule at IETF 97

The IAB briefly reviewed their schedule for IETF 97. Cindy Morgan asked Program Leads to start scheduling their meetings so that she can put in the catering and A/V requests.

Lars Eggert took an action to suggest an IRTF Research Group to review at IETF 97.

Cindy Morgan will send out a call for agenda items.

6. BOF and PRG Coverage at IETF 97

The IAB briefly discussed BOF and Proposed Research Group coverage at IETF 97. Brian Trammell is one of the co-chairs for the BANANA BOF. Andrew Sullivan and Suzanne Woolf will shepherd the DNSBUNDLED BOF. Lee Howard and Brian Trammell will cover the Proposed NMLRG, assuming that the conflicts work out.

Cindy Morgan will add links to the BOF wiki and the IETF 97 agenda on the BOF coverage page.

7. Privacy and Security Program Review

Ted Hardie reported that the Privacy and Security Program is currently working on three documents:

  • draft-iab-web-pki-problems
    • The authors are working on an update to address comments received so far, and the Program plans to discuss this further during IETF 97.
  • draft-iab-privsec-confidentiality-mitigations
    • The author is working on an update to address the comments received so far; the plan is to have the document ready for community review sometime around IETF 97.
  • draft-hardie-privsec-metadata-insertion
    • The author is discussing whether to fold this into the -bis version of the RFC on writing security considerations text. In any case, the document should eventually end up published as an IETF consensus document.

At IETF 97, the Program will discuss whether the Program will need to be re-scoped once the above documents are completed.

8. draft-farrell-iotsu-workshop

The IAB agreed to adopt draft-farrell-iotsu-workshop as an Informational document on the IAB stream.

9. IETF Protocol Registries Oversight Committee (IPROC)

Russ Housley reported that with the IANA Stewardship Transition approved, the new IANA SLA is in effect. In the new SLA, the IAB and the IAOC have formal roles, but the IPROC is no longer mentioned. As such, he asked if it was time to remove the formality around the IPROC, which is currently both an IAB Program and an IAOC subcommittee. The IAB agreed that this was a good idea. Russ Housley will draft a message to the IAOC explaining what the IAB plans to do and ask how the IAOC plans to proceed on their end.