07:04:30 RRSAgent has joined #https-transitional 07:04:30 logging to http://www.w3.org/2015/10/28-https-transitional-irc 07:07:36 kpfleming has joined #https-transitional 07:09:03 barryleiba has joined #https-transitional 07:09:10 q? 07:09:12 mkwst has joined #https-transitional 07:09:14 mishizaw has joined #https-transitional 07:09:17 kaoru has joined #https-transitional 07:09:20 need to invite zakim 07:09:32 my IRC client won't do it unfortunately 07:09:34 How do one do that? 07:09:45 I'll try, if I know. 07:09:47 "/invite zakim https-transitional" 07:09:47 Zakim has joined #https-transitional 07:09:52 someone did already 07:09:52 Ah 07:09:55 q? 07:09:57 jxck has joined #https-transitional 07:09:58 scribe: mkwst 07:10:14 bhill2: This is an idea at the "collection of interesting ideas" phase. 07:10:17 npdoty has joined #https-transitional 07:10:20 ... no one's implemented, just freeform discussion. 07:10:25 mt_____ has joined #https-transitional 07:10:28 ... came up this summer during berlin F2F. 07:10:34 ... "How do we encourage more HTTPS"? 07:10:39 "just turn off http://" 07:10:44 ... what are obstacles. 07:10:57 ... how do we get there without a flag day, without damaging the link structure of the web, etc. 07:11:00 When mkwest says "collection of interesting ideas", he usually has a complete draft of the spec :) 07:11:28 JeffH has joined #https-transitional 07:11:28 ... Traditional wisdom: "Why aren't you on HTTPS" -> getting a cert is a pain. 07:11:42 ... Let's Encrypt solves that! All done! 07:12:04 ... Let's assume that Let's Encrypt gives you certs, and it just comes with Apache. 07:12:14 kodonog has joined #https-transitional 07:12:14 virginie has joined #https-transitional 07:12:14 ... If I have a modern website, I still can't just flip the switch. 07:12:19 rbarnes has joined #https-transitional 07:12:21 ... Because of Mixed Content. 07:12:34 yoav has joined #https-transitional 07:12:54 ... [explains dependency problem: http can load https, but not vice versa] 07:13:21 plinss has joined #https-transitional 07:13:24 ... I don't want to just flip over to HTTPS, because users will get a bad experience. 07:13:39 ... Even if I just publish it, HTTPS Everywhere will find it, Google will promote it in search, etc. 07:13:45 LarsG has joined #https-transitional 07:13:47 ... Users are going to have a bad time until I do a lot of work. 07:13:59 ... Why is mixed content a problem? 07:14:07 ... Do I need to go into this?. 07:14:09 Completely hypothetical example of large static site like w3.org 07:14:10 [No.] 07:14:16 dbaron has joined #https-transitional 07:14:17 ... How do we fix mixed content? 07:14:23 ... Upgrade-Insecure-Requests is one answer. 07:15:01 ... Just upgrades all requests from http to https, assertion from the site that the resources are semantically equivalent. 07:15:22 ... If I just add this header, many problems are fixed. 07:16:13 [explanation of upgrade-insecure-requests: https://w3c.github.io/webappsec-upgrade-insecure-requests/] 07:16:24 ... Deadlock in upgrading if one dependency isn't upgraded. 07:16:46 ... Deadlocks cascade. Dependencies between websites create upgrade problems. 07:17:21 ... How do we break the deadlock? 07:17:29 ... Introduce an intermediary state. 07:17:38 Opportunistic, I think, right? 07:17:49 ... Like opportunistic encryption, but with similar properties to "real" encryption. 07:18:30 ... Keep "principle of tranquility" by not treating it as secure in the UI (like OE) 07:18:38 timeless has joined #https-transitional 07:18:46 RRSAgent, draft minutes 07:18:46 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 07:18:47 ... But this optimistic mode would not be treated as mixed content for subresource loads. 07:19:09 ... Zero cost, zero risk. Happy users. Anyone depending on me is unblocked. 07:19:35 I'm not sure what "optimistic" means, or if it's synonymous to opportunistic... Or if opportunistic is well defined either 07:19:35 ... Would it be sufficient to allow everything but HTML pages? 07:19:41 s/need to invite zakim// 07:20:02 ... Iframes cause problems, because dependencies that go from HTML to HTML across origin boundries. 07:20:20 ... Idea to solve this is the transitional mode via a new ALPN protocol. 07:20:25 ... [explains APLN] 07:20:45 ... [https://tools.ietf.org/html/rfc7301] 07:21:01 ... Client indicates protocols it's willing to support, server chooses one. 07:21:02 s/APLN/ALPN 07:21:09 ... No additional roundtrip. 07:21:56 ... Origin A that depends on Origin B can load resources from origin B iff Origin B supports the transitional mode: 07:22:24 ... Initiate a connection to B on 443, tell the server that you support either "real" HTTPS or transitional HTTPS. 07:22:31 ... Server can decide what to deliver back to the client. 07:22:47 ?: What's different from server B's point of view? 07:22:56 bhill2: Transitional provides a few things. 07:23:13 ... 1. It provides a contract which says 07:23:43 ... The content provided over transitional is semantically identical to the response it would give over HTTP. 07:23:54 ... http://forbes.com != https://forbes.com 07:24:03 ... This gives assurances that the two are the same. 07:24:29 martin: HSTS is a signal of equivalence. 07:24:52 [side conversations] 07:25:15 JeffH: HSTS isn't equivalence. It breaks HTTP and replaces it. 07:25:53 martin: It also states that on the transitional indicator. This is analogous to the HSTS signal. 07:26:00 JeffH: But two different policies. 07:26:11 rbarnes: I don't understand the distinction you're making. 07:26:23 ... HSTS says that the authoritative version is HTTPS. 07:26:35 JeffH: And HSTS says that there is no HTTP version. 07:26:49 rbarnes: But either way, you're going to HTTPS, right? 07:27:04 dan: That works if you're the provider, but not if you're the consumer of those resources. 07:27:28 rbarnes: Non-determinism is a solvable problem. I have a proposal for priming that's floating around. 07:27:43 XXX: What should the client do differently when this is present? 07:28:02 s/XXX/zcorpan/ 07:28:07 bhill2: Two modes: when you fetch a resource as a top-level resource, and when the content is loaded as a subresource. 07:28:24 ... When A loads B over transitional, A doesn't have mixed content warnings. 07:28:45 ... When B is a top-level navigation, you upgrade the transport, but don't treat it as secure. 07:29:01 You don't enforce Mixed Content blocking and you don't show a nice lock icon? 07:29:10 dbaron: When it's a subresource of an HTTPS resource, right? 07:30:03 bhill2: When transitional is loaded as top-level, UA doesn't show a lock lock, won't claim to be HTTPS, won't block mixed content. 07:30:19 ... Don't provide a bad experience for my users, and folks who depend on me can do so securely. 07:30:50 rbarnes: What about iframed iframes? 07:30:55 rbarnes has joined #https-transitional 07:31:07 bhill2: Right. Insecurely framed documents would still break. This doesn't fix them. 07:31:22 martin: How do you get to transitional for origin B? 07:31:27 Are we incentivized to just all go to transitional? 07:31:47 bhill2: Land on it with HTTP, and either the browser tries 443 optimistically, or we do alt-src header. 07:31:54 mnot: Probably need to do the latter. 07:32:10 bhill2: Sure. Maybe we do that in the future, maybe HTTPS Everywhere makes that a pref. Who knows. 07:32:31 [something about upgrade-insecure-requests that I missed.] 07:32:46 bhill2: If you have upgrade-insecure-requests set, it attempts the load over 443. 07:33:02 ... Right now, folks don't want to turn that on because it exposes users to broken experiences. 07:33:15 ... Can do it optimistically without providing broken experiences. 07:33:33 yoav: Transitional gives you the option of upgrading? 07:33:45 bhill2: Right. There's practically zero risk of breaking clients with transitional. 07:33:54 ... User would never see a mixed content warning by visiting your page. 07:34:11 yoav: What are the advantages of using this? You don't get service workers, no secure contexts, etc? 07:34:19 ... But you do get HTTP/2, right? 07:34:44 bhill2: Transport layer is distinct. You get all that, but you don't get the promises of HTTPS. No mixed content, no secure context, etc. 07:35:18 ... Eventually I can flip a second switch, say "I'm tranquil. Sure, you said HTTP, but I'm really HTTPS, so enforce all that on me." 07:35:35 martin: Couldn't you just HSTS at that point? 07:35:44 bhill2: Sure, but there are billions of links in databases. 07:35:48 tim: Paper documents! 07:36:12 JeffH: The intention ... this could be a rathole ... The HSTS policy statement doesn't imply that anything is available over HTTP. 07:36:29 ... Even though there's URL rewriting, what drove us to flip the scheme was usability on the user's part. 07:36:41 ... Not to make a statement that HTTP is semantically equivalent to HTTPS. 07:36:54 rbarnes: Maybe morally you're not, but effectively you are. 07:37:09 bhill2: HTTPS categorically blocks because of mixed content in status quo. 07:37:16 ... Network stack folks don't want to change that. 07:37:24 ... Contract is also to developers: fail fast, fail hard. 07:37:51 ... Enables a gradual transition rather than flag days and emergency sirens. 07:38:05 q? 07:38:05 JeffH: This policy is about semantic equivalents. HSTS doesn't make that promise. 07:38:18 rbarnes has joined #https-transitional 07:38:25 dka has joined #https-transitional 07:38:28 tim: The promise is relevant for semantic web. 07:38:33 RRSAgent, draft minutes 07:38:33 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 07:38:51 ... Devices do canonicalization on URLs anyway. 07:39:13 ... Will there be an API to look at my XHR in some way to tell me about the commitments made by the other side? 07:39:18 meeting: Transitioning to HTTPS 07:39:20 bhill2: URL wouldn't change. Just behind the scenes guts. 07:39:37 chair: bhill 07:39:41 ... URL doesn't change, so you can implicitly assume the semantic equivalence. 07:39:46 present+ tbl 07:39:53 RRSAgent, draft minutes 07:39:53 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 07:39:57 JeffH: i would be totally in favor of updating HSTS to make the statement of semantic equivalence 07:40:06 since everybody already thinks it does :) 07:40:09 tim: Imagine I fetch one thing from a server, that gives me knowledge of that URI. What do I do for other URIs? 07:40:11 s/my IRC client won't do it unfortunately// 07:40:14 bhill2: This doesn't address that. 07:40:20 s/How do one do that?// 07:40:27 s/I'll try, if I know.// 07:40:38 s|"/invite zakim https-transitional"|| 07:40:45 s|someone did already|| 07:40:54 s|Ah|| 07:40:56 ... This lets you access a service over TLS that makes a guarantee that a resource is semantically equivalent to the one over a non-TLS channel. 07:40:58 RRSAgent, draft minutes 07:40:58 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 07:41:15 ... "Is there a way for an application to know that HTTPS == HTTP for an origin?" 07:41:18 dveditz has joined #https-transitional 07:41:22 ... No, not today, and no that's not part of this proposal. 07:41:32 RRSAgent, pointer? 07:41:32 See http://www.w3.org/2015/10/28-https-transitional-irc#T07-41-32 07:41:35 ... This lets you try a connection, and ensure that you get such a resource back. 07:41:51 rbarnes: We should update HSTS so that it's a guarantee of equivalence. 07:42:00 JeffH: It would require changes to browsers. 07:42:08 s/... How do we fix mixed content?/bhill2: How do we fix mixed content?/ 07:42:11 tim: First write in the spec that HSTS makes that commitment. 07:42:31 ... Then, having that commitment, get the information to the application. 07:42:54 i|explanation of upgrade-insecure-requests|-> https://w3c.github.io/webappsec-upgrade-insecure-requests/ explanation of upgrade-insecure-requests 07:43:05 JeffH: Altering the semantics of HSTS might be a way to address this if browsers are on board. 07:43:05 RRSAgent, draft minutes 07:43:05 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 07:43:13 q+ 07:43:20 rbarnes: Given that the browser behavior 80% implements the equiv. right now, it seems simpler to just change it. 07:43:49 bhill2: That addresses Tim's use case, but not the more important use case of getting folks to TLS without a flag day. 07:44:04 present+ dveditz 07:44:04 JeffH: Maybe we could implement all this under the HSTS policy. 07:44:07 present+ dbaron 07:44:13 bhill2: I think you need a way to break the deadlocks. 07:44:23 rbarnes: Do you have examples of the deadlock problem. 07:44:30 tim: w3.org. 07:44:39 tim: He's in the building. 07:44:59 ... You tell us to go to Ted, and tell him to turn on HTTPS. 07:45:06 ... circular dependencies. 07:45:10 present+ LarsG 07:45:21 bhill2: We have evidence of this. Easy. Ad networks. 07:45:31 rbarnes: This is a telemetry problem. 07:45:50 ... The word we used was "transitional". What gets folks to transition? 07:45:58 tim: This works! we get to the blue state! 07:46:11 ... If everyone is blue, we're secure. 07:46:15 rbarnes: No, blue isn't secure! 07:46:36 bhill2: Blue lets you discover what content would have been loaded without mixed content blocking. 07:46:50 RRSAgent, draft minutes 07:46:50 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 07:46:56 rbarnes: Maybe this is a report-only mode of upgrade insecure requests. 07:47:15 ... Maybe that's simpler to conceptualize than a third mode. 07:47:30 bhill2: The blue state is easy! Don't care, we just turn it on for you. 07:48:02 zcorpan: What if firewall blocks 443? 07:48:16 bhill2: Won't be worse than status quo. If you don't send the alt-srv header, no risk of breakage. 07:48:27 ... The goal is turn it on, no breakage. 07:48:31 s/zcorpan/fluffy 07:49:01 bhill2: This is meant to break the deadlocks. 07:49:23 ... Once everyone is transitional because it's free, or, if not everyone, more than status quo, deadlocks are broken. 07:49:35 ... Which is a virtuous cycle. 07:49:39 rbarnes has joined #https-transitional 07:50:01 timeless: What's the timeline? At what point could we just switch? 07:50:06 scribe: yoav 07:50:22 bhill: It would be simple to build this into nginx/Apache 07:50:26 scribenick: yoav 07:50:46 s/bhill/bhill2/ 07:50:52 Set your config to connect ALPN token to the right port 07:51:15 timeless: You want it in all server in the world 07:51:24 s/server/servers/ 07:51:57 timeless: So some sites will turn blue after a few months, and some sites will never be blue 07:51:58 server stacks: apache, tomcat, iis, custom CDN stacks, etc 07:52:12 so after a while, we have to decide everything is green and everything will break 07:52:57 bhill: You're probably right, some sites will never upgrade and that's it, but at some point, if we'd stop support 07:53:13 there would be a flag day, but this will enable us to move more people sooner 07:53:24 s/so after/... so after/ 07:53:24 by enabling more sites to move to that transitional state 07:53:29 s/there would/... there would/ 07:53:33 s/by/... by/ 07:53:36 q? 07:53:57 BLUE IS NOT SECURE 07:54:05 tbl: supposed that we came back in 4 years and everything is blue, transitional but completely secure 07:54:17 timeless: I would be happy, but we'd switch it 07:54:42 XXX: blue is vulnerable to downgrade attacks, so you don't want that long term 07:54:53 so it's not perfect, but better than nothing 07:54:57 s/XXX/mt_____/ 07:54:59 s/XXX:/martin:/ 07:55:11 s|s/XXX:/martin:/|| 07:55:20 mt: So we won't want to support blue indefinitely 07:55:38 maybe we can re-examine the HSTS thing 07:56:12 bhill: Once I''ve set the tranquil flag you should treat the site as HTTPS, but I still have HTTP links 07:56:22 s|[explanation of upgrade-insecure-requests: https://w3c.github.io/webappsec-upgrade-insecure-requests/]|| 07:56:35 mt: What we want is to get everyone to secure state 07:56:54 bhill: we want to get everyone there without breaking their sites, nor the guaranties 07:57:10 Richard: this proposal is conflating two mechanisms 07:57:17 one is getting better telemetry 07:57:30 s/... Deadlock in upgrading/bhill2: Deadlock in upgrading 07:57:38 mishizaw has joined #https-transitional 07:58:05 s/one/... one 07:58:05 bhill: fixing mixed content breakage is very exepnsive, so the most important thing is unblocking dependers 07:58:13 s/maybe we/... maybe we 07:58:19 RRSAgent, draft minutes 07:58:19 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 07:58:47 Richard: it would be useful to break out all the parts because they may have different solutions 07:58:52 s/Richard:/rbarnes:/G 07:58:58 bhill: I like it since it solves all the use cases 07:59:07 s/bhill:/bhill2:/G 07:59:11 On that last point, it seems uncertain whether we can safely unblock people who depend on us by providing parallel http/https without endangering anything 07:59:17 rbarnes: but you're bundling the different use cases into a single solution 07:59:48 tbl: what telemetry would one need? When measuring the dependencies don't we know what they are but the graph is too complicated? 07:59:58 the ability to go to blue stage is important 08:00:17 rbarnes: if we do the first two things, we'd still have to get to blue stage 08:00:35 q+ 08:00:40 but sites that I've worked with were able to get the first two 08:00:45 q- 08:00:48 q is dead 08:00:58 s/q is dead// 08:01:07 so once we've handled that we can know what we need to do about the more complicated things 08:01:29 bhill: thinking about cost and incentive 08:01:36 sites want the lock icons 08:01:53 so they can use that to discover the dependencies and apply pressure 08:02:05 s/sites want/... sites want 08:02:09 s/so they/... so they 08:02:21 q- 08:02:22 rbarnes: the blue state removes pressure from the 3rd party to moving to HTTPS 08:02:34 tbl: if you're serving scripts you will get pressure 08:02:34 rbarnes has joined #https-transitional 08:02:48 XXX: but you're getting nothing out of at 08:02:59 ndoty: if you're an ad network, you're losing money 08:03:13 mt: I'd like to push back on the "just work" concept 08:03:17 s/XXX/barryleiba 08:03:34 RRSAgent, draft minutes 08:03:34 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 08:03:38 if you look into the details, there are a lot of operational problems that this doesn't avoid 08:03:46 s/if you/... if you 08:04:10 s/ndoty/npdoty 08:04:23 we ran into problems, because you're running on TLS in a modified mode, so resources are requested over blue mode and green mode, and it's gets complicated to deploy this 08:04:31 you're selling a silver bullet, and we've been there 08:04:37 s/the ability to go/... the ability to go 08:04:41 bhill: I'd love comments about these issues 08:04:44 turns out to be a tin bullet... 08:04:47 s/but sites that/... but sites that 08:04:55 mt: we've been discussing that almost two years 08:05:01 s/so once we've handled/... so once we've handled 08:05:06 q? 08:05:09 s/XXX/barryleiba 08:05:25 s|s/XXX/barryleiba|| 08:05:31 RRSAgent, draft minutes 08:05:31 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 08:05:42 mt: I'm suggesting that this shares some problems with opportunistic encryption 08:05:51 barryleiba has left #https-transitional 08:06:03 s/so it's not perfect/... so it's not perfect 08:06:08 mnot: I'd love to hear the editor of the mixed content spec 08:06:14 s/Set your config/... Set your config 08:06:24 mkwst: If we can get the same guaranties, it's not mixed content 08:06:27 s/we ran into problems/... we ran into problems 08:06:28 my concerns 08:06:34 a) what thos guaranties are? 08:06:37 s/you're selling a/... you're selling a 08:06:44 s/my concerns/... my concerns 08:06:48 s/a)/... a) 08:06:54 the proposal addresses that, so if guaranties are provided, resource doesn't load 08:07:00 you lose confidentiality 08:07:03 s/the proposal/... the proposal 08:07:06 you keep the rest 08:07:09 s/you/... you 08:07:14 I'd love to keep confidentiality 08:07:15 s/you lose/... you lose 08:07:30 so that if we're coming from a secured context we request 443 08:07:31 s/I'd/... I'd 08:07:36 s/so/... so 08:07:46 HTST probing forces you into HSTS which is problematic 08:08:03 what I've heard is that they can't do HSTS now, they dont HTTPS 08:08:15 HSTS is hard, so decoupling from HSTS is better 08:08:35 mkwst: my impression is that it resolves a small number of sites 08:08:41 s/HTST probing/... HTST probing 08:08:44 it's not clear that it's worth doing the work 08:08:49 s/what I've/... what I've 08:08:54 s/HSTS is hard/... HSTS is hard 08:08:58 and it doesn't solve the bigger problem of getting people migrate 08:09:00 s/it's not/... it's not 08:09:07 mishizaw has joined #https-transitional 08:09:09 s/and it doesn/... and it doesn 08:09:11 what happens is that someone at the end of the chain doesn't migrate 08:09:17 which prevents everyone from migrating 08:09:19 s/what happens/... what happens 08:09:25 s/which/... which 08:09:37 one option is the block mixed content, instead of loading and breaking UI 08:09:48 btw, list of Let's Encrypt certificates: https://crt.sh/?Identity=%25&iCAID=7395 08:09:51 ads not being HTTPS is going away 08:09:54 s/one option/... one option 08:09:58 every publisher is moving to HTTPS 08:10:03 s/ads not/... ads not 08:10:07 s/every/... every 08:10:11 so the guaranties of HTTPS are enough to get people to migrate 08:10:24 I'm simpethetic to the problems this is solving 08:10:34 s/so the/... so the/ 08:10:36 not clear this is relevant in a few years 08:10:39 so/I'm/... I'm 08:10:43 s/not clear/... not clear 08:10:47 concerned about the amount of work that this would be involved 08:10:56 s|so/I'm/... I'm|| 08:11:01 or if it's better to get more certs into hands of people 08:11:11 and resolving telemetry issue rbarnes talked about 08:11:12 s/I'm simpethetic/... I'm simpethetic 08:11:20 s/concerned/... concerned 08:11:22 but people care and are working on it 08:11:24 s/simpethetic/sympathetic 08:11:28 s/or if it's better/... or if it's better 08:11:34 s/and resolving/... and resolving 08:11:35 some sites will never upgrade, btu not clear what we do with them 08:11:40 RRSAgent, draft minutes 08:11:40 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 08:11:51 s/btu/but 08:11:54 this proposal will get us to these sites, but I suspect that there are a lot of them 08:11:59 s/some/... some 08:12:04 s/this/... this 08:12:07 they probably not a dependencies so fairly isolated 08:12:22 s/they/... they 08:12:29 bhill: the rock they're under might be a government with data 08:12:46 mkwst: upgrading to HTTPS won't solve it 08:13:06 I think it's worth exploring, I want to understand implications on ecosystem 08:13:16 if it's helps everyone upgrade, that's great 08:13:34 or maybe we talk to large hosters and they just upgrafde 08:13:52 s|btw, list of Let's Encrypt certificates: https://crt.sh/?Identity=%25&iCAID=7395|-> https://crt.sh/?Identity=%25&iCAID=7395 list of Let's Encrypt certificates 08:14:01 bhill: they can't necessarily upgrade because of crazy content that's linking anywhere 08:14:17 tbl: there was a plan to switch before TPAC, but too much stuff broke 08:14:38 mkwst: we asked questions and no answer 08:14:42 s/but people care/... but people care 08:14:52 XXX: problems with Firefox not implementing upgrade 08:15:03 mkwst: Safari didn't implement either, you need to cope 08:15:30 bhill: thanks for showing up 08:15:42 s/XXX/yves/ 08:15:56 mishizaw has joined #https-transitional 08:15:57 s/or maybe we/... or maybe we 08:16:09 s/if it's helps/... if it helps 08:16:19 s/I think it's worth/... I think it's worth 08:16:27 RRSAgent, draft minutes 08:16:27 I have made the request to generate http://www.w3.org/2015/10/28-https-transitional-minutes.html timeless 08:17:47 [ Adjourned ] 08:17:49 adjourned! 08:17:51 s/timeless/scribe 08:18:09 Thanks, Brad! 08:24:52 jxck has joined #https-transitional 08:28:28 npdoty has left #https-transitional 08:33:01 dbaron has joined #https-transitional 11:08:12 kpfleming has joined #https-transitional 11:08:18 kpfleming has left #https-transitional 11:10:02 Zakim has left #https-transitional 14:56:07