date:20130906

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread SM


At 20:32 05-09-2013, Vinayak Hegde wrote:
While it is nice to do a dedication of this meeting to the SA 
surveillance, I do not see us solving any issue here. It is merely a 
"feel-good" measure without real impact.


:-)

Second, technology can never fix what is essentially a political 
problem. for eg. We mandate strong security protocols and end-to-end 
encryption in HTTP(S) by default. Lets


In a Last Call comment a few months ago it was mentioned that a 
specification takes the stance that security is an optional 
feature.  I once watched a Security Area Director spend thirty 
minutes trying to explain to a working group that security feature 
should be implemented.  If I recall correctly the working group was 
unconvinced.


Would the community raise it as an issue during a Last Call if a 
proposed protocol did not have strong security features?  It's up to 
the reader to determine the answer to that.


 assume all browsers implement this and do this perfectly without 
software flaws. All the NSA has to do is to compromise the other 
endpoint (controlled by ACME major corp). ACME gives over the 
encryption keys and access to all the unencrypted data to the NSA. So now


Yes.

 what are we going to do. The IETF can make an political statement 
by taking a stand but that may mean nothing in reality when the 
laws are weak. Another example is when you have


Taking a stand that means nothing is a feel-good measure.

 encrypted your drive and do not want to hand over the keys as it 
has some personal (and possibly incriminating evidence). In several 
countries you can be held in jail indefinitely (with obvious 
renewals of sentences) until you hand the keys over[1]. So in 
summary, technology cannot solve political and legal issues. At 
best it can make it harder. But in this case maybe not even that.


The IETF outlook does not apply in several countries.  The IETF does 
not seem to pay much attention to that details (re. hand the 
keys).  It's not clear what the emergency is.  Phillip Hallam-Baker 
and Brian Carpenter already mentioned that it's not like this is a surprise.


According to a news article key architects of the Internet plan to 
fight back by drawing a plan to defend against state-sponsored 
surveillance.  Anyway, if someone really wanted to call for an 
emergency response the person would have sent it to an IETF mailing list.


At 20:08 05-09-2013, Ted Lemon wrote:
I think we all knew NSA was collecting the data.   Why didn't we do 
something about it sooner?   Wasn't it an emergency when the PATRIOT 
act was passed?   We certainly thought it was an emergency back in 
the days of Skipjack, but then they convinced us we'd won.   Turns 
out they just went around us.


I would describe it as a scuffle instead of a battle.  My guess is 
that the IETF did not do anything sooner as nobody knows what to do, 
or it may be that the IETF has become conservative and it does not 
pay attention to the minority report.


At 23:04 05-09-2013, Jari Arkko wrote:
I think we should seize this opportunity to take a hard look at what 
we can do better.


:-)

And please do not think about all this just in terms of the recent 
revelations. The


That's an interesting perspective.

 security in the Internet is still a challenge, and if there are 
improvements they will be generally useful for many reasons and for 
many years to come. Perhaps this year's discussions are our ticket 
to motivate the world to move from "by default insecure" 
communications to "by default secure". Publicity and motivation are 
important, too.


Yes.

Regards,
-sm

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Måns Nilsson

Subject: Re: Bruce Schneier's Proposal to dedicate November meeting to saving 
the Internet from the NSA Date: Fri, Sep 06, 2013 at 09:04:41AM +0300 Quoting 
Jari Arkko (jari.ar...@piuha.net):
> I think we should seize this opportunity to take a hard look at what we can 
> do better. Yes, it is completely correct that this is only partially a 
> technical problem, and that there is a lot of technology that, if used, would 
> help. And that technical issues outside IETF space, like endpoint security, 
> or the properties of specific products or implements affects the end result 
> in major ways. And that no amount of communication security helps you if you 
> do not the guy at the other end.
> 
> But it is also obvious to me that we do not have a situation where everything 
> that could be done has been done. I think we can do more. Some examples:
> 
> * we're having a discussion in http 2.0 work whether encryption should be 
> mandatory

Given the relative impact of http I think that this is the most important
of your suggestions. Frankly, I do not think it is sensible to block
mandatory crypto in http 2.0. 

However, I think it is also important to look at how we handle the
key distribution problem. The traditional X.509 model has repeatedly
been shown to be extremely vulnerable to bad management and directed
attacks. Further, the dependency on relatively few root CA instances
and the lack of domain name scope limitations makes an attack on said
CA not only likely but also most rewarding to the attacker.

I do think that more distributed technoligies like DANE play an important
rôle here.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Like I always say -- nothing can beat the BRATWURST here in DUSSELDORF!!


signature.asc
Description: Digital signature

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Hannes Tschofenig

Bruce might not know that we have already various activities ongoing. I
just recently produced a short writeup about the efforts related to this
topic ongoing at the last IETF meeting on my blog:

http://www.tschofenig.priv.at/wp/?p=993

Ciao
Hannes

On 06.09.2013 03:17, Dean Willis wrote:

This is bigger than the "perpass" list.

I suggested that the surveillance/broken crypto challenge represents "damage to the
Internet". I'm not the only one thinking that way.

I'd like to share the challenge raised by Bruce Schneier in:

http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying

To quote:

---
We need to know how exactly how the NSA and other agencies are subverting
routers, switches, the internet backbone, encryption technologies and cloud
systems. I already have five stories from people like you, and I've just
started collecting. I want 50. There's safety in numbers, and this form of
civil disobedience is the moral thing to do.

Two, we can design. We need to figure out how to re-engineer the internet to
prevent this kind of wholesale spying. We need new techniques to prevent
communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open
protocols, open implementations, open systems – these will be harder for the
NSA to subvert.

The Internet Engineering Task Force, the group that defines the standards that
make the internet run, has a meeting planned for early November in Vancouver.
This group needs dedicate its next meeting to this task. This is an emergency,
and demands an emergency response.

The gauntlet is in our face. What are we going to do about it?

--
Dean Willis

RE: [CCAMP] Last Call: (Generalized Multi-Protocol Label Switching (GMPLS) Signaling Extensions for the evolving G.709 Optical Transport Networks Contr

2013-09-06 Thread Fatai Zhang

Hi Adrian,

I am updating this draft, but one issue is about the new small section.

You said "adding a small section including all of the statements you made in 
your email", but I really don't know which kind of section should be added to 
cover various aspects including management tools, OAM, alarm, MIB, etc.

I also suspect the value to have this kind of new section to talk about 
something (and nothing new), which may not be related to the subject of this 
draft (ie., RSVP-TE extensions for OTN *connection* establishment).

Therefore, I would like to hear more from you. Could you give a title for this 
new section?


Best Regards

Fatai

From: Adrian Farrel [mailto:adr...@olddog.co.uk]
Sent: Wednesday, August 21, 2013 6:12 PM
To: Fatai Zhang; ietf@ietf.org
Cc: cc...@ietf.org
Subject: RE: [CCAMP] Last Call: 
 (Generalized Multi-Protocol 
Label Switching (GMPLS) Signaling Extensions for the evolving G.709 Optical 
Transport Networks Control) to Proposed Standard

Hi Fatai,

I think you nicely answered your own questions :-)

I would suggest adding a small section including all of the statements you made 
in your email. (Well, no need to refer to Berlin and the CCAMP chairs :-)

Cheers,
Adrian

From: Fatai Zhang [mailto:zhangfa...@huawei.com]
Sent: 21 August 2013 08:40
To: adr...@olddog.co.uk; ietf@ietf.org
Cc: cc...@ietf.org
Subject: RE: [CCAMP] Last Call: 
 (Generalized Multi-Protocol 
Label Switching (GMPLS) Signaling Extensions for the evolving G.709 Optical 
Transport Networks Control) to Proposed Standard


Hi Adrian,



Thanks very much.



I can update the nits and editorial issues quickly, but I would like to discuss 
more with you for the following points to make things clear before I update the 
draft.



=

Please consider and note what updates to GMPLS management tools are needed.



[Fatai]This has been mentioned in [Framework] document. Did you mean that we 
need add one sentence in some place of this document to refer to [Framework] 
document to mention management tools?



Are there any changes to the Alarms that might arise? We have a document for 
that.



[Fatai] No. RFC4783 is still applicable.



Are there any changes to the way OAM is controlled? We have a document for that.



[Fatai] No, it could be done through NMS or 
[draft-ietf-ccamp-rsvp-te-sdh-otn-oam-ext].



Should the new G-PIDs show in the TC MIB managed by IANA at

https://www.iana.org/assignments/ianagmplstc-mib/ianagmplstc-mib.xhtml

This should happen automgically when the feeding registries are updated

but it is probably best to add a specific request for IANA.



[Fatai] Will do that.



Will other MIB work be needed (in the future) to make it possible to

read new information (labels, tspecs) from network devices?



[Fatai] I am not sure. I asked the similar question (not on this draft) during 
Berlin meeting. The chairs answered that it could be driven by drafts.







Best Regards



Fatai



-Original Message-
From: ccamp-boun...@ietf.org [mailto:ccamp-boun...@ietf.org] On Behalf Of 
Adrian Farrel
Sent: Wednesday, August 21, 2013 2:51 AM
To: ietf@ietf.org
Cc: cc...@ietf.org
Subject: Re: [CCAMP] Last Call: 
 (Generalized Multi-Protocol 
Label Switching (GMPLS) Signaling Extensions for the evolving G.709 Optical 
Transport Networks Control) to Proposed Standard



As sponsoring AD I have the following last call comments I hope you will take on

board.



Thanks,

Adrian



Please fix the two lines that are too long (see idnits)



---



Please expand "OTN" on first use in the main text.

Please expand "TS" on its first use.



---



6.2



   The ingress node of an LSP MAY include Label ERO (Explicit Route

   Object) to indicate the label in each hops along the path.



Missing "subobject".



---



6.2.1



   When an upstream node receives a Resv message containing an

   GENERALIZED_LABEL object



s/an/a/



---



Please consider and note what updates to GMPLS management tools are

needed.



Are there any changes to the Alarms that might arise? We have a document

for that.



Are there any changes to the way OAM is controlled? We have a document

for that.



Should the new G-PIDs show in the TC MIB managed by IANA at

https://www.iana.org/assignments/ianagmplstc-mib/ianagmplstc-mib.xhtml

This should happen automgically when the feeding registries are updated

but it is probably best to add a specific request for IANA.



Will other MIB work be needed (in the future) to make it possible to

read new information (labels, tspecs) from network devices?



---



Please fix so that you have three sections:



Authors' Addresses (only those people on the front page)

Contributors (other people who made significant text contributions to

the document)

Acknowledgements (other people who helped with the work)



---



[OTN-OSPF] should be a normative reference for its use to define the

value of the switching

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Adam Novak


On 09/05/2013 08:19 PM, Brian E Carpenter wrote:

Tell me what the IETF could be doing that it isn't already doing.

I'm not talking about what implementors and operators and users should
be doing; still less about what legislators should or shouldn't be
doing. I care about all those things, but the question here is what
standards or informational outputs from the IETF are needed, in addition
to what's already done or in the works.

I don't intend that to be a rhetorical question.

  Brian


One way to frustrate this sort of dragnet surveillance would be to 
reduce centralization in the Internet's architecture. Right now, the way 
the Internet works in practice for private individuals, all your traffic 
goes up one pipe to your ISP. It's trivial to tap, since the tapping can 
be centralized at the ISP end.


The IETF focused on developing protocols (and reserving the necessary 
network numbers) to facilitate direct network peering between private 
individuals, it could make it much more expensive to mount large-scale 
traffic interception attacks.

Re: Bruce Schneier's Proposal to dedicate November meeting to savingthe Internet from the NSA

2013-09-06 Thread t . p .

- Original Message -
From: "Phillip Hallam-Baker" 
To: "Andrew Sullivan" 
Cc: "IETF Discussion Mailing List" 
Sent: Friday, September 06, 2013 4:56 AM
> On Thu, Sep 5, 2013 at 11:32 PM, Andrew Sullivan
wrote:
>
> > On Fri, Sep 06, 2013 at 03:28:28PM +1200, Brian E Carpenter wrote:
> > >
> > > OK, that's actionable in the IETF, so can we see the I-D before
> > > the cutoff?
> >
> > Why is that discussion of this nailed to the cycle of IETF meetings?
>
>
> It is not. I raised the challenge over a week ago in another forum.
Last
> thing I would do is to give any institution veto power.
>
>
> The design I think is practical is to eliminate all UI issues by
insisting
> that encryption and decryption are transparent. Any email that can be
sent
> encrypted is sent encrypted.

That sounds like the 'End User Fallacy number one' that I encounter all
the time in my work.  If only everything were encrypted, then we would
be completely safe.  Well, no (as you Phillip know well).  It depends on
the strength of the ciphers (you can get a little padlock on your screen
with SSL 2 which was the default in my local public access system until
recently).  It depends on the keys being secret (one enterprise system I
was enrolled on in 2003 will not let me change my password, ever - only
the system administrator has that power).  It depends on authentication
(I have a totally secure channel, unbreakable in the next 50 years, but
it is not to my bank but to a Far Eastern Power).  And so on.  Yet every
few weeks I hear the media saying, 'look for the padlock'.

I think that the obvious step to improving security is to get the world
at large possessing and using certificates, in the same way as the
governments of the world, not very long agao, persuaded us to use
passports.

Tom Petch

>
> So that means that we have to have a key distribution infrastructure
such
> that when you register a key it becomes available to anyone who might
need
> to send you a message. We would also wish to apply the Certificate
> Transparency approach to protect the Trusted Third Parties from being
> coerced, infiltrated or compromised.
>
> Packaging the implementation is not difficult, a set of proxies for
IMAP
> and SUBMIT enhance and decrypt the messages.
>
> The client side complexity is separated from the proxy using
Omnibroker.
>

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Vinayak Hegde

On Fri, Sep 6, 2013 at 12:16 PM, SM  wrote:

> In a Last Call comment a few months ago it was mentioned that a
> specification takes the stance that security is an optional feature.  I
> once watched a Security Area Director spend thirty minutes trying to
> explain to a working group that security feature should be implemented.  If
> I recall correctly the working group was unconvinced.
>
> Would the community raise it as an issue during a Last Call if a proposed
> protocol did not have strong security features?  It's up to the reader to
> determine the answer to that.

It is tragic if the community does understand strong encryption is
essential in many cases (with the caveat that it is not a panacea for all
security breaches) As for raising issues at the last-call. Why not ? The
last-call is no different than any other mailing list discussion or going
to the mic in a physical meeting. (Other than the urgency of having the
last chance to comment ?)

-- Vinayak

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Hannes Tschofenig


On 06.09.2013 04:36, Brian E Carpenter wrote:

I'm not saying there's no issue or no work to do, but what's new about
any of this?


Still at the end of last year I remember conversations in working groups 
that questions why we need TLS security for protocols like SCIM (a 
protocol that shuffles credentials around).


I don't think that the decision in the RTCWeb group against SDES would 
have been possible without the NSA news.


I also remember the Internet Privacy workshop the IAB and others 
organized about 2 years ago and back then we argued whether government 
surveillance is something we should focus on or whether we are mainly 
interested in companies who impact your privacy.


While some (many) have already anticipated that the NSA (and other 
governments) deploy massive surveillance technologies the extend to 
which it is done has surprised most security persons I know.


In a nutshell, the understanding and awareness of the wider Internet 
community has changed with those news.


Ciao
Hannes

RE: pgp signing in van

2013-09-06 Thread l.wood


Surely, pgp signing in vain?

Don't know about you, but I value plausible deniability.

Lloyd Wood
http://sat-net.com/L.Wood/



From: ietf-boun...@ietf.org [ietf-boun...@ietf.org] On Behalf Of Randy Bush 
[ra...@psg.com]
Sent: 06 September 2013 01:45
To: IETF Disgust
Subject: pgp signing in van

so, it might be a good idea to hold a pgp signing party in van.  but
there are interesting issues in doing so.  we have done lots of parties
so have the social protocols and n00b cheat sheets.  but that is the
trivial tip of the iceberg.

  o is pgp compromised?  just because it is not listed in [0] is not
very strong assurance in these dark days.

  o what are the hashes of audited software, and who did the audits?

  o what are the recommended algs/digest/keylen parameters?

  o do we really need eliptical, or is that a poison pill?

  o your questions go here ...

randy

---

[0] 
http://www.nytimes.com/interactive/2013/09/05/us/unlocking-private-communications.html

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Stewart Bryant


On 06/09/2013 04:19, Brian E Carpenter wrote:

On 06/09/2013 15:08, Ted Lemon wrote:

On Sep 5, 2013, at 9:36 PM, Brian E Carpenter  
wrote:

I'm sorry, I don't detect the emergency.

I think we all knew NSA was collecting the data.   Why didn't we do something 
about it sooner?   Wasn't it an emergency when the PATRIOT act was passed?   We 
certainly thought it was an emergency back in the days of Skipjack, but then 
they convinced us we'd won.   Turns out they just went around us.

Tell me what the IETF could be doing that it isn't already doing.

I'm not talking about what implementors and operators and users should
be doing; still less about what legislators should or shouldn't be
doing. I care about all those things, but the question here is what
standards or informational outputs from the IETF are needed, in addition
to what's already done or in the works.


There is a whole bunch of stuff we can do to make transit traffic less 
observable.


In other words we can modify things so the only think you know about a 
packet is where it is going, not what it is or who it came from.


Stewart

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Stephen Farrell

Summarising a *lot* :-)

On 09/06/2013 11:30 AM, Stewart Bryant wrote:
> 
> There is a whole bunch of stuff we can do

I fully agree. Some more detail on one of those...

We setup the perpass list [1] as a venue for triaging
specific proposals in this space. A few weeks in, we
have one I-D [2] (very much a -00) that tries to describe
a threat model that matches the recent revelations,
and that could be a good reference when folks are
developing protocols.

We have found volunteers to write a draft for a BCP
on how to use perfect forward secrecy in TLS, more
common use of which (we still think) would mitigate a
bunch of the ways in which TLS traffic could be
subverted, given various forms of collusion/coercion.
I hope the -00 for that will pop out in a weekish.

We've had some discussion about how to do better with
email, but that's not yet landed on specifics that
could be taken further. And a couple of other topics
have come up. More are welcome.

For any such topic that looks like it'll turn into
something actionable (in the IETF context), I'm very
happy to push to get it adopted by a relevant WG or
to get it AD sponsored.

If you care about this stuff, then get on that list
and make concrete proposals and write I-Ds about ways
the IETF can improve the situation. If the content
is good, you'll find you're pushing on an open door
(at least as far as the SEC ADs are concerned:-).

And as we all know the IETF cannot "solve the problem"
here, but as Stewart rightly said: there is stuff we
can do better. So let's do it.

I do think some kind of session in Vancouver would be
useful to move this along some more and there's
discussion ongoing within the IESG and IAB on how to
best do that. If we (IESG/IAB) fail in that, please do
beat us up mightily at the mic in Vancouver.

Cheers,
S.

[1] https://www.ietf.org/mailman/listinfo/perpass
[2] http://tools.ietf.org/html/draft-trammell-perpass-ppa

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Hannes Tschofenig


On 06.09.2013 13:30, Stewart Bryant wrote:

Tell me what the IETF could be doing that it isn't already doing.

It really depends where you see the boundaries of the IETF.

For some the IETF only produces documents and that's it. Clearly, we 
have a lot of specification work ongoing in different areas that helps 
to mitigate various security vulnerabilities. This ranges from recent 
work on XMPP end-to-end security (as in 
http://tools.ietf.org/html/draft-miller-3923bis-02) all the way to the 
recent RTCWEB discussions on using DTLS-SRTP as a key management protocol.


For other folks the IETF does much more, such as to reach out to those 
deploying our technology. Many folks involved in the IETF community 
produce open source code, write article in popular computer magazines 
explaining how to use the technology, give presentations at various 
conferences, teach at universities and research institutes, provide 
consulting, etc. The list is long.


It is obviously easier to write (security) documents but somewhat more 
complex to get them widely deployed. Example: TLS everywhere, DNSSEC, 
email security, routing security, etc.


While we are able to fill gaps in security protocols fairly quickly we 
don't always seem to make the right choices because the interests of 
various participants are not necessarily aligned. In general, we seem to 
develop an insecure version and a secure version of a protocol. 
Unfortunately, the insecure version gets widely deployed and we have an 
incredible hard time to introduce the secure version.


In addition to the specification work we could think about how to reach 
out to the broader Internet ecosystem a bit better. Since we have lots 
of folks in the IETF I don't think it is an impossible task but it might 
require a bit of coordination. Right now would be a good time to launch 
some of those initiatives since most people currently understand the 
need for security.


Ciao
Hannes

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Jorge Amodio

IMHO. There is no amount of engineering that can fix stupid people doing
stupid things... on both sides of the stupid line.

-J

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Peter Saint-Andre

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 9/6/13 1:47 AM, Adam Novak wrote:
> On 09/05/2013 08:19 PM, Brian E Carpenter wrote:
>> Tell me what the IETF could be doing that it isn't already
>> doing.
>> 
>> I'm not talking about what implementors and operators and users
>> should be doing; still less about what legislators should or
>> shouldn't be doing. I care about all those things, but the
>> question here is what standards or informational outputs from the
>> IETF are needed, in addition to what's already done or in the
>> works.
>> 
>> I don't intend that to be a rhetorical question.
>> 
>> Brian
> 
> One way to frustrate this sort of dragnet surveillance would be to 
> reduce centralization in the Internet's architecture. Right now,
> the way the Internet works in practice for private individuals, all
> your traffic goes up one pipe to your ISP. It's trivial to tap,
> since the tapping can be centralized at the ISP end.
> 
> The IETF focused on developing protocols (and reserving the
> necessary network numbers) to facilitate direct network peering
> between private individuals, it could make it much more expensive
> to mount large-scale traffic interception attacks.

+1. There's already work on things like MANET, but this seems a useful
avenue of work.

Peter

- -- 
Peter Saint-Andre
https://stpeter.im/


-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSKdGmAAoJEOoGpJErxa2pL+cP/3lYe7AP9rkPSYdvSVvt073N
sZ5hc4aIC/PDTUTLrZV7dPTsCs0vEqn5kcgm0C/w8KHZ4XFLY1iDJiXebekAZWTd
F3jpOgrO1kQZsyb2t65xjasdVAeg9sWZ0+l9epoMa5qLPQeOhD7fVBVmZ2NVccCu
k0Js14lJZTsVNMdU9R7pujcvk8uaoqys+Ac+y1ZjCoW26I9Fo357cNVtODyGRBUb
ARKOsniaZPrPExPj5ZGIfeOabMEQoy3AvC/O74J+/llqItku+i7iJRqwVTHhRni3
70/A91l3icQ4Ke6uIGio9VHRv/XRJgr2lMBf5qzHneWKdFBUfVqRbSVKZdZS2qzK
dB2YOH+Dx847mzKhv+bRo+WgXsjoRLQQziOGeARikbDmMOdXdVP/vGnT++vMksBO
FP+T8jTWRStQNU9Uj04geLo/GwOO8/i72FvSfX8FJxmGWq2p9mocInnFM/Tg7dxr
zyrVV3Ou9VLzJuIE3xoUT1Xqr//GNgdmELCOQvn4+C866bjKwPkhqtxYpLOoObMK
qL8XEe4h5SvE2YKyC1fhhzMVDFZ9dHH9bD8FMsbzUb43/3a1IBk6ti+U85FmjzWH
fNbbi+oB5zoRh/ib3yqgQ6sMrPTdwuXu5WnpJBtggALebZ8NNWPB0VCYHXk8nP4u
1Y0TkCGeJFCXG4a7kyTC
=Sezw
-END PGP SIGNATURE-

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Alan Johnston

On Fri, Sep 6, 2013 at 7:07 AM, Hannes Tschofenig  wrote:

> On 06.09.2013 13:30, Stewart Bryant wrote:
>
>> Tell me what the IETF could be doing that it isn't already doing.
>>
> It really depends where you see the boundaries of the IETF.
>
> For some the IETF only produces documents and that's it. Clearly, we have
> a lot of specification work ongoing in different areas that helps to
> mitigate various security vulnerabilities. This ranges from recent work on
> XMPP end-to-end security (as in http://tools.ietf.org/html/**
> draft-miller-3923bis-02)
> all the way to the recent RTCWEB discussions on using DTLS-SRTP as a key
> management protocol.
>

If we took protection against MitM attacks seriously, we would be using
ZRTP for RTCWEB instead of DTLS-SRTP.  See

 http://tools.ietf.org/html/draft-johnston-rtcweb-zrtp

- Alan -

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Martin Sustrik


On 06/09/13 14:07, Hannes Tschofenig wrote:


While we are able to fill gaps in security protocols fairly quickly we
don't always seem to make the right choices because the interests of
various participants are not necessarily aligned.


So, what if an NSA guys comes in and proposes backdoor to be added to a 
protocol? Is it even a valid interest? Does IETF as an organisation have 
anything to say about that or does it remain strictly neutral?


Martin

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 Thread Eliot Lear


On 9/6/13 3:04 PM, Martin Sustrik wrote:
> So, what if an NSA guys comes in and proposes backdoor to be added to
> a protocol? Is it even a valid interest? Does IETF as an organisation
> have anything to say about that or does it remain strictly neutral?
>
It's happened before and we as a community have said no.  See RFC 2804.

1 2 >

1 - 100 of 108 matches

Mail list logo