[ARIN-consult] Consultation on ACSP 2018.3

Owen DeLong owen at delong.com
Tue Apr 3 02:01:16 EDT 2018


I agree with Bill Herrin. Yes to 1,2,3, 5. No to 4, 6.

(No to HSTS and no to Long term goal to push programmatic access to HTTPS)

Owen

> On Apr 2, 2018, at 09:55 , Kevin Blumberg <kevinb at thewire.ca> wrote:
> 
> John,
>  
> The blueprint that Frank laid out is very sensible and doesn’t impact programmatic access.
> 
> This should be an ongoing process of improvement. Once implemented you should have a much better sense of how often requests are coming in that are not https.
> 
> Thanks,
>  
> Kevin Blumberg
>  
>  
>  
>  
>  
>  
>  
> From: ARIN-consult <arin-consult-bounces at arin.net <mailto:arin-consult-bounces at arin.net>> On Behalf Of John Curran
> Sent: Monday, April 2, 2018 9:07 AM
> To: frnkblk at iname.com <mailto:frnkblk at iname.com>
> Cc: <arin-consult at arin.net <mailto:arin-consult at arin.net>> <arin-consult at arin.net <mailto:arin-consult at arin.net>>
> Subject: Re: [ARIN-consult] Consultation on ACSP 2018.3
> Importance: High
>  
> On 2 Apr 2018, at 9:00 AM, frnkblk at iname.com <mailto:frnkblk at iname.com> wrote:
>  
> There’s been some great discussion on this topic.  I’d like to suggest the following approach:
> No auto-redirection at this time
> But stop redirecting https://whois.arin.net <https://whois.arin.net/> to http://whois.arin.net/ui/ <http://whois.arin.net/ui/>, rather redirect them to https://whois.arin.net/ui <https://whois.arin.net/ui>. If they chose to go to the secure site, being redirected to the insecure site does not seem like a good idea.
> Make sure that all links from ARIN’s other sites to whois.arin.net <http://whois.arin.net/> are referring to the HTTPS one (that may already be the case, but I don’t know)
> Enable HSTS for whois.arin.net <http://whois.arin.net/> – if a web browser hits it intentionally then just keep doing it automatically.
> Provide some subtle feedback (perhaps an extra line/bar at the top of the page) to those web browsing the HTTP version of whois.arin.net <http://whois.arin.net/> to alert them that they are searching in the clear and provide a link to the secure version.
> Develop a long-term goal to migrate programmatic access to HTTPS
>  
>  
> Frank -  
>  
>    Excellent strawman proposal for moving forward - thank you for taking the time to express it with clarity! 
>  
> All - 
>  
>    Any specific objections or concerns with ARIN proceeding as proposed above? 
>  
> Thanks!
> /John
>  
> John Curran
> President and CEO
> ARIN
>  
>  
>  
>  
>  
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net <mailto:ARIN-consult at arin.net>).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-consult <http://lists.arin.net/mailman/listinfo/arin-consult> Please contact the ARIN Member Services
> Help Desk at info at arin.net <mailto:info at arin.net> if you experience any issues.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20180402/38f4a8d1/attachment.html>


More information about the ARIN-consult mailing list