* Stephen Farrell wrote: >Some folks (me included to be honest) wonder if the current >situation argues for raising the bar there somewhat on the >basis that MTI security features are frequently turned off >or not sufficiently well tested to be usable. (Pick your >favourite example, mine are usually rfc4744 or Diameter >being run in clear.) And an upshot from that is that that >helps those who want to pervasively monitor everything. > >Others argue that that'd be the IETF straying into the >space of policy - all we should do is define how to use >strong security features and make sure the code is there so >they can be turned on and the rest is policy.
I need to monitor everything that comes in and out of my computer systems and networks so I can detect exfiltrations and intrusions, like when the latest operating system update comes with a helpful default-on automatic cloud backup solution for my encryption keys, or detailed information about nearby radio signals and microwaves collected over prolonged periods of time by my smartphone. Lacking a mandate to allow the user to effectively disable any "security" mechanism would also help those who want to "pervasively monitor everything", but "mandatory-to-use" digital repression mechanisms are being deployed faster than I can track them. That would seem to belong to this debate aswell. -- Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
