Equably when it comes to privacy
Hi David, At 16:10 06-09-2013, David Morris wrote: Seriously though, NSA makes a nice villan, but much of our hardware is manufactured in counties with fewer restraints than the NSA when it comes the right to privacy, etc. Wouldn't suprise me that my major brand router has sniffers from more than one country's security agency. The right to privacy is mentioned in the above. From http://www.europarl.europa.eu/sides/getDoc.do?type=MOTIONreference=B7-2013-0342language=EN whereas the US legal system does not ensure the protection of non-US citizens, such as EU citizens; whereas, for instance, the protection provided by the Fourth Amendment applies only to US citizens and not to EU citizens or other non-US citizens; There aren't any villains in all this. There is a question of whether the company taking the data will value each of its customers equably when it comes to privacy. It doesn't seem so. Regards, -sm
Re: Equably when it comes to privacy
On Sun, Sep 8, 2013 at 3:21 AM, SM s...@resistor.net wrote: Hi David, At 16:10 06-09-2013, David Morris wrote: Seriously though, NSA makes a nice villan, but much of our hardware is manufactured in counties with fewer restraints than the NSA when it comes the right to privacy, etc. Wouldn't suprise me that my major brand router has sniffers from more than one country's security agency. The right to privacy is mentioned in the above. From http://www.europarl.europa.eu/**sides/getDoc.do?type=MOTION** reference=B7-2013-0342**language=ENhttp://www.europarl.europa.eu/sides/getDoc.do?type=MOTIONreference=B7-2013-0342language=EN whereas the US legal system does not ensure the protection of non-US citizens, such as EU citizens; whereas, for instance, the protection provided by the Fourth Amendment applies only to US citizens and not to EU citizens or other non-US citizens; There aren't any villains in all this. There is a question of whether the company taking the data will value each of its customers equably when it comes to privacy. It doesn't seem so. The other countries concerned did not take the lead in establishing a network of secret prisons where hundreds of prisoners were illegally held without charge. As the US did under President Bush. The other countries concerned did not employ torture as the US did under President Bush. Another worrying aspect of BULLRUN is that it is named after a victory for the confederate side in the US civil war. They seem to be looking to make slaves out of us. They certainly seem to be endorsing a racist cause. What should we think if the German intelligence service had a similar program codenamed AUSCHWITZ? We know from the history of Snowden that the NSA has lax internal controls. They allowed a person who wasn't even an employee access to this information. They have since chased Snowden off to Russia where Putin professes to be concerned that he does not leak any more information. Could this be because Putin has infiltrated one or more Snowdens into the NSA himself and does not want to see the intel gathered to date be compromised or because he thinks he can probably get it out of Snowden if the GRU can find the right stripper. There might be other agencies that have compromised the Internet to the same extent as the NSA. Or the others might just find it is easier to free ride of the NSA work product which Russia and China and Iran are all consuming through their own moles. -- Website: http://hallambaker.com/
Re: decentralization of Internet (was Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA
From: =?ISO-8859-1?Q?Roger_J=F8rgensen?= rog...@gmail.com Isn't the payload the important part to protect? Ecrypting only the headers was a suggestion for the case where the routers don't have enough spare crunch to encrypt the entire payload of every packet. Whether that would do anything useful, or whether analysis of the payload could bypass that, making that limited step useless, I don't know. Noel
Re: Equably when it comes to privacy
The other countries concerned did not employ torture as the US did under President Bush. You mean like Pakistan, Iran, Libya, Syria, Saudi Arabia -J
Re: Equably when it comes to privacy
Probably best if we keep the politics off the IETF list. Noel
Re: Equably when it comes to privacy
On Sun, Sep 8, 2013 at 10:27 AM, Noel Chiappa j...@mercury.lcs.mit.eduwrote: Probably best if we keep the politics off the IETF list. Noel I grew up in politics. There is a method to my approach here. I know that the IETF list is watched. I am making it clear that I am a personal political opponent of Clapper and Alexander and linking the NSA activities to the racist wing of the GOP. Now imagine the political fallout if the NSA or FBI attempt to pressure me again like during the cryptowars. That is not a risk I expect a low level employee is going to take. -- Website: http://hallambaker.com/
Re: Equably when it comes to privacy
On Sun, Sep 8, 2013 at 10:07 AM, Jorge Amodio jmamo...@gmail.com wrote: The other countries concerned did not employ torture as the US did under President Bush. You mean like Pakistan, Iran, Libya, Syria, Saudi Arabia My original comment was limited to adversaries with potential intercept capability. If it is the case that we have to be concerned about a widespread intercept capability by those countries in the US then the intelligence agencies have completely failed in their mission to defend NATO countries. China on the other hand, well we all outsource manufacture there. Of course there are despotic regimes that also use torture. The point I was making is that alone in the free world the US administration decided to sanction war crimes and it appears from their choice of codenames that the people in charge of this program might be the type of people who put confederate flags on their cars. So 'just trust us we are the good guys' does not have the same rhetorical force that it once did. -- Website: http://hallambaker.com/
Re: Equably when it comes to privacy
On Sunday, September 08, 2013 11:13:44 Phillip Hallam-Baker wrote: ... might be the type of people who put confederate flags on their cars. ... Since Bull Run is the Union name for the battle, probably not (It'd have been Manassas from a Confederate perspective). Scott K P. S. We are rather far afield for the IETF list, so I'm not going to jump in on this particular angle further.
Re: Equably when it comes to privacy
At 07:07 08-09-2013, Jorge Amodio wrote: You mean like Pakistan, Iran, Libya, Syria, Saudi Arabia There were people from Pakistan who participated in the IETF. I recall an email exchange where a person from that country received an unpleasant comment from someone who is part of the IETF leadership. In my opinion a discussion about Country X or Country Y would take the thread downhill. It can also have a chilling effect. At 05:14 08-09-2013, Phillip Hallam-Baker wrote: Another worrying aspect of [censored] is that it is named after[censored]. They seem to be looking to make [censored] out of us. They certainly seem to be endorsing [censored]. What should we think if the [censored] had a similar program codenamed [censored]? It would not look good. Regards, -sm
Re: Equably when it comes to privacy
On 9/8/13 10:37 AM, SM wrote: At 07:07 08-09-2013, Jorge Amodio wrote: You mean like Pakistan, Iran, Libya, Syria, Saudi Arabia There were people from Pakistan who participated in the IETF. I recall an email exchange where a person from that country received an unpleasant comment from someone who is part of the IETF leadership. In my opinion a discussion about Country X or Country Y would take the thread downhill. It can also have a chilling effect. State employment of legal and extra-legal means to spy on and capitalize the activities of their own citizens and those of other states is something that transcends boundries, cultural identity or ideology. It doesn't much matter if you're David Dellinger, Neda Agha Sultan, Khalid El-Masri, etc, if you'd ended up on the wrong side of a state apparatus, well you're going to have a bad time of it. Should your tools, the contents of your mind, and the various effects and context of your personal communication become instruments of state-power? Because the tools we've built are certainly capable of that. At 05:14 08-09-2013, Phillip Hallam-Baker wrote: Another worrying aspect of [censored] is that it is named after[censored]. They seem to be looking to make [censored] out of us. They certainly seem to be endorsing [censored]. What should we think if the [censored] had a similar program codenamed [censored]? It would not look good. Regards, -sm
Re: pgp signing in van
--On Friday, September 06, 2013 19:50 -0800 Melinda Shore melinda.sh...@gmail.com wrote: On 9/6/13 7:45 PM, Scott Kitterman wrote: They have different problems, but are inherently less reliable than web of trust GPG signing. It doesn't scale well, but when done in a defined context for defined purposes it works quite well. With external CAs you never know what you get. Vast numbers of bits can be and have been spent on the problems with PKI and on vulnerabilities around CAs (and the trust model). I am not arguing that PKI is awesome. What I *am* arguing is that the semantics of the trust assertions are pretty well-understood and agreed-upon, which is not the case with pgp. When someone signs someone else's pgp key you really don't know why, what the relationship is, what they thought they were attesting to, etc. I think you are both making more of a distinction than exists, modulo the scaling problem with web of trust and something the community has done to itself with CAs. The web of trust scaling issue is well-known and has been discussed repetitively. But the assumption about CAs has always been, more or less, that they can all be trusted equally and that one that couldn't be trusted would and could be held accountable. Things just haven't worked out that way with the net result that, as with PGP, it is hard to deduce why, what the relationship is, what they thought they were attesting to, and so on. While those statements are in the certs or pointed to from them in many cases, there is the immediate second-level problem of whether those assertions can be trusted and what they mean. For example, if what a cert means is passed some test for owning a domain name, it and DANE are, as far as I can tell, identical except for the details of the test ... and some are going to be a lot better for some domains and registrars than others. Assorted vendors have certainly made the situation worse by incorporating CA root certificates in systems based on business relationships (or worse) rather than on well-founded beliefs about trust. On the CA side, one of the things I think is needed is a rating system (or collection of them on a pick the rating service you trust basis) for CAs, with an obvious extension to PGP-ish key signers. In itself, that isn't a problem with which the IETF can help. Where I think the IETF and implementer communities have fallen down is in not providing a framework that would both encourage rating systems and tools and make them accessible to users. In our current environment, everything is binary in a world in which issues like trust in a certifier is scaled and multidimensional. As Joe pointed out, we don't use even what information is available in PGP levels of confidence and X.509 assertions about strength. In the real world, we trust people and institutions in different ways for different purposes -- I'll trust someone to work on my car, even the safety systems, whom I wouldn't trust to do my banking... and I wouldn't want my banker anywhere near my brakes. In both cases, I'm probably more interested in institutional roles and experience than I am in whether a key (or signature on paper) binds to a hard identity. In some cases, binding a key to persistence is more important than binding it to actual identity; in others, not. I trust my sister in most things, but wouldn't want her as a certifier because I know she don't have sufficient clues about managing keys. And the amount of authentication of identity I think I need differs with circumstances and uses too. We haven't designed the data structures and interfaces to make it feasible for a casual user to incorporate judgments --her own or those of someone she trusts -- to edit the CA lists that are handed to her, or a PGP keyring she has constructed, and assign conditions to them. Nor have we specified the interface support that would make it easy for a user to set up and get, e.g., warnings about low-quality certification (or keys linked to domains or registrars that are known to be sloppy or worse) when one is about to use them for some high-value purpose. We have web of trust and rating models (including PICS, which illustrates some of difficulties with these sorts of things) models for web pages and the like, but can't manage them for the keys and certs that are arguably more important. So, anyone ready to step up rather than just lamenting the state of the world? best, john
Re: Equably when it comes to privacy
On 09/09/2013 03:03, Phillip Hallam-Baker wrote: On Sun, Sep 8, 2013 at 10:27 AM, Noel Chiappa j...@mercury.lcs.mit.eduwrote: Probably best if we keep the politics off the IETF list. Noel I grew up in politics. There is a method to my approach here. Nevertheless, it is the wrong method here. Brian
Re: Equably when it comes to privacy
ietf-boun...@ietf.org wrote on 09/08/2013 08:14:07 AM: From: Phillip Hallam-Baker hal...@gmail.com Another worrying aspect of BULLRUN is that it is named after a victory for the confederate side in the US civil war. But the battles are only called the (First or Second) Battle of Bull Run by the NORTH, which lost them. The SOUTHerners who won the battle, as well as the now-local residents of Northern Virginia, refer to them as the Battle of (First or Second) Manassas. To the locals, Bull Run is simply a local creek which happens to run through the battle field. ] Janet
Re: pgp signing in van
Phillip Hallam-Baker hal...@gmail.com wrote: Could we do smime as well? If we had a list of smime cert fingerprints it can be used for trust reinforcement Sure, but how does one establish any kind of web of trust in smime? I have to gather everyone's certificate, and I get no transitivity. The issue is that smime email clients are more common so I would rather teach the smime doggie pgp like tricks than vice versa I agree that they are more common, and I bemoan the fact that they aren't used. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[
Re: pgp signing in van
I have removed the attribution of this comment on purpose, because it applies to multiple people, and I want to attack a behaviour, not a person: This is what I mean by a high bar. Signing someone's PGP key should mean I know this person as X, not this person is X. Dilution of trust is a problem with PGP. I know this person as X is way too lax if you want the system to scale. Frankly, this is an example of pseudo-security “uphill and in the snow both ways” that has meant that, 20 years after S/MIME and PGP, almost nobody uses this stuff, even for the most elementary of things. Remember: better is the enemy of good enough. To all the people who posted to this thread about how they don't know what a PGP key signature means, and who did not PGP or S/MIME their email: Stop getting in the way. This is how an NSA mole would derail things: claim it needs to be better -- Michael Richardson mcr+i...@sandelman.ca, Sandelman Software Works pgpYzS2nrmm9x.pgp Description: PGP signature
RE: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA
http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html That's a pretty damning indictment of the development of IPSec from John Gilmore. Lloyd Wood http://sat-net.com/L.Wood
Re: pgp signing in van
On Sep 8, 2013, at 5:33 PM, Michael Richardson mcr+i...@sandelman.ca wrote: To all the people who posted to this thread about how they don't know what a PGP key signature means, and who did not PGP or S/MIME their email: What's the upside to signing my email? I know why I want everybody I know to sign my email, but what's the upside for me if I do it? Until there's a clear win, it's not going to happen.
thoughts on pervasive monitoring
Here are some thoughts on reports related to wide-spread monitoring and potential impacts on Internet standards, from me and Stephen Farrell: http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ Comments appreciated, as always. Jari Stephen
Re: pgp signing in van
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/8/13 3:50 PM, Ted Lemon wrote: On Sep 8, 2013, at 5:33 PM, Michael Richardson mcr+i...@sandelman.ca wrote: To all the people who posted to this thread about how they don't know what a PGP key signature means, and who did not PGP or S/MIME their email: What's the upside to signing my email? I know why I want everybody I know to sign my email, but what's the upside for me if I do it? Until there's a clear win, it's not going to happen. There are two that I see: 1. Since it's quite easy to send faked messages (and I have seen that done on public lists in an effort to embarrass or impugn the sender), signing one's messages makes it clear that the message really came from you. 2. Signing one's messages is a way of advertising that one is capable of engaging in encrypted communication. (This might not be a welcome analogy, but it's kind of like open carry for encryption.) Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSLPhsAAoJEOoGpJErxa2pCJgP/Rx9sytAqZEB5+4o5dUKmz2q W54ZX0LRNPNLadAkp4tEPLyvejIK0RsQy6MEnX5rqFOF6Y8aJQqa/xxCpnXHptzZ c3U4nBlUM/aAFurmnEWPj6fHks2tBOSEADadHp97wit/kH8Cr4SNLfqqAGi65JNf 1mmYuL9v2Ktn4e+1kUv/F2W/rPZb+g15SV2RnpFhbr2j8/TJtqm5MvoBhrtATjBP rySxV0ERvoI2QIT6cMsl2WlZLN0w+kGFPuSaNkapIyIYc2AON258GdgjyP3Ff4mr QXxHmuLu5BROXwYDoQzLAYrkV0To+/EzVV55lJQAWe2l1MDuC1WzJXf/92RBSuRM xMolFrXcpdAQpqNIwXEF2p5SKNJIu8ksNAQwS9eUELB6PBhn87m+pszzKKAtT8d0 Q3jkJA96ZHvyf3dKyn76Ic7sxMJKQv7NbUnZEfZ41NyIWm3aur1kDrTXLYOx3Rf5 pL0k8dXa9RQJ96L8as4fBNGd+3bettiuy/x3PYPO8Gem2s0HZ5+ZyNnirsrJQtyx RmHbMh6zIUWlSXKkoKi8ojy97zpJZeVKRojuF+yHQQgRK2hnAOwU4A/zach/J1JP StrdXnRcrP+m3LtOpU1vqcj4JEky+q2Bu7EvGBYaG5I0MS5+vhcSL1zfiMPvpg9c 3zHQ34Z+10gTnbKyf+5Q =nKdo -END PGP SIGNATURE-
Re: pgp signing in van
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/8/13 5:09 PM, Hector Santos wrote: On 9/8/2013 6:21 PM, Peter Saint-Andre wrote: On 9/8/13 3:50 PM, Ted Lemon wrote: What's the upside to signing my email? I know why I want everybody I know to sign my email, but what's the upside for me if I do it? Until there's a clear win, it's not going to happen. There are two that I see: 1. Since it's quite easy to send faked messages (and I have seen that done on public lists in an effort to embarrass or impugn the sender), signing one's messages makes it clear that the message really came from you. 2. Signing one's messages is a way of advertising that one is capable of engaging in encrypted communication. (This might not be a welcome analogy, but it's kind of like open carry for encryption.) Peter But until the MUAs across the board support it out of the box, I believe most people don't know about it or know what it means. So that's an opportunity to educate people. For instance, perhaps the Internet Society might be interested in taking on that task. We don't need 100% of everything in order to make incremental improvements. Peter - -- Peter Saint-Andre https://stpeter.im/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSLQYXAAoJEOoGpJErxa2pm9MP/25ryFGrQXCD0oPmzXCckZq+ LgC82HQaY19vBrVfE4VPSX/6P0Ss8KxOju3pyX3AYT/JrFBu27GlSGkSPdbnBaaF TDRWpbzw0bcqTeEFPP/OTHcgRf9ywL7W+eix2DSl/wFti8YnKlSnqxtOcRmzmlRn Q2ddHs6khNHR34xP7B0846ffmkJPa1N/KAxI8Og/5C9amYL8xbn3U6y0rQz3+D0u OhYgPTrTO63tbGgQI1p/3PUUgIIBVceadOQYJL6NgTXjnIf4n3/9GmKyFd+3XM8P q/bpQz74zOMAgCC4289TSD3M6ym/j6yvL/Ji4dBNJNxDgR1d03Lx4O7RsTq1Gn4n wduiz8hVSQv+j+hObfifQlnSEZu/FfTZAOTfryqWqPKfYSISchzot+9r3hNeIcTt a5MsQLgIQYPsLMWFTqf9tjNYUfT0WU7g0N3ReFy94TI85E0L6EHtmOd0vrGBBad8 VFquZeZ4MfdP0Z3rQ2hgh5pRE84uNmGEpKQ9th/lBPwUurFEUgnK+vdH4MvCT3sQ IWFG4S8l5WkGo2+BI33Pz2X4hGs/Dczhd3m7g9kWdUauHLg9iPGkpupsMWAEWK3i BRGpIod4bBJMyuXKRNCHuD1nW/egmeGKdX3an+ClgUOekVmR2aAeUa/xZWyhExtK Xr418Yr6rXvhVrmxb59L =blPv -END PGP SIGNATURE-
Re: pgp signing in van
Subject: Re: pgp signing in van Date: Sun, Sep 08, 2013 at 09:50:19PM + Quoting Ted Lemon (ted.le...@nominum.com): On Sep 8, 2013, at 5:33 PM, Michael Richardson mcr+i...@sandelman.ca wrote: To all the people who posted to this thread about how they don't know what a PGP key signature means, and who did not PGP or S/MIME their email: What's the upside to signing my email? I know why I want everybody I know to sign my email, but what's the upside for me if I do it? Until there's a clear win, it's not going to happen. If you, (like I am) are persistent in signing all email, an unsigned email from you is going to Raise Concerns. Bonus point: Signed email gets insane upvotes in Spamassassin. Mutt, Mulberry, and Mail.app (the latter with GPGMail) all do a splendid job of checking the box for you so that you mostly effortlessly can sign all outgoing email. The software is there. The web of trust still is a pain to maintain, but the tools and the benefits are both present. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Hey, wait a minute!! I want a divorce!! ... you're not Clint Eastwood!! signature.asc Description: Digital signature
Re: Bruce Schneier's Proposal to dedicate November meeting to savingthe Internet from the NSA
--On Friday, September 06, 2013 17:11 +0100 Tony Finch d...@dotat.at wrote: John C Klensin j...@jck.com wrote: Please correct me if I'm wrong, but it seems to me that DANE-like approaches are significantly better than traditional PKI ones only to the extent to which: ... Yes, but there are some compensating pluses: Please note that I didn't say worse, only not significantly better. You can get a meaningful improvement to your security by good choice of registrar (and registry if you have flexibility in your choice of name). Other weak registries and registrars don't reduce your DNSSEC security, whereas PKIX is only as secure as the weakest CA. Yes and no. Certainly I can improve my security as you note. I can also improve the security of a traditional certificate by selecting from only those CAs who require a high degree of assurance that I am who I say I am. But, from the standpoint of a casual user using readily-available and understandable tools (see my recent note) and encountering a key or signature from someone she doesn't know already, there is little or no way to tell whether the owner of that key used a reliable registrar or a sleazy one or, for the PKI case, a high-assurance and reliable CA or one whose certification criterion is the applicant's ability to pay. There are still differences and I don't mean to dismiss them.I just don't think we should exaggerate their significance. And, yes, part of what I'm concerned about is the very ugly problem of whether, if I encounter an email address and key for tonyfi...@email-expert.pro or, (slightly) worse, in one of the thousand new TLDs that ICANN assures us will improve the quality of their lives, how I determine whether that is you, some other Tony Finch who claims expertise in email, or Betty Attacker Bloggs pretending to be one of you. As Pete has suggested, one way to do that is to set up an encrypted connection without worrying much about authentication and then quiz each other about things that Tony(2), Betty, or John(2) are unlikely to know until we are confident enough for the purposes. But, otherwise By contrast, if I know a priori that the Tony Finch I'm concerned about is the person who controls dotat.at and you know that the John Klensin you are concerned about is the person who controls jck.com, and both of us are using addresses in those domains with which we have been familiar for years, then the task is much easier with either a PKI or DANE -- and certainly more convenient and reliable with the latter because we know each other well enough, even if mostly virtually, to be confident that the other is unlikely to be dealing with registrars or registries who would deliberately enable domain or key impersonation. Nor would either of us be likely to be quiet about such practices if they were discovered. An attacker can use a compromise of your DNS infrastructure to get a certificate from a conventional CA, just as much as they could compromise DNSSEC-based service authentication. Exactly. Again, my point in this note and the one I sent to the list earlier today about the PGP-PKI relationship is that we should understand and take advantage of the differences among systems if and when we can, but that it is a bad idea to exaggerate those advantages or differences. john
Re: thoughts on pervasive monitoring
Will the discussion include the pervasive data mining from companies exploiting our Internet use for marketing and targeted advertising purposes ? -J On Sun, Sep 8, 2013 at 4:53 PM, IETF Chair ch...@ietf.org wrote: Here are some thoughts on reports related to wide-spread monitoring and potential impacts on Internet standards, from me and Stephen Farrell: http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ Comments appreciated, as always. Jari Stephen
Re: thoughts on pervasive monitoring
On 09/09/2013 01:24 AM, Jorge Amodio wrote: Will the discussion include the pervasive data mining from companies exploiting our Internet use for marketing and targeted advertising purposes ? IMO the discussion should of course include that as one part of a larger thing. Corporate privacy-busting is however somewhat different from recent news stories, for almost all corporates. There are a few companies who can monitor so much that they'd compete with governments in terms of being pervasive monitors. But recent reports indicate that some governments may have raised the ante quite a bit higher - if you're accumulating data from the largest corporate service providers and the phone companies/ISPs and the trans-atlantic fibres then you really probably are in a different category than any of even the largest corporates. I suspect the new part of the new threat model here is the level of pervasiveness of the monitoring. Separately, if we can figure out protocol mechanisms or implementation/deployment guidance that helps mitigate pervasive monitoring, then those same mechanisms will I would hope/guess also mitigate corporate non-pervasive monitoring. But, we'll have to wait and see for that. So I'd guess that we might be better to consider the pervasive monitoring attacker for now and then see if the kinds of mitigation we develop might also be helpful against somewhat less ubiquitous attackers. Cheers, S. -J On Sun, Sep 8, 2013 at 4:53 PM, IETF Chair ch...@ietf.org wrote: Here are some thoughts on reports related to wide-spread monitoring and potential impacts on Internet standards, from me and Stephen Farrell: http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ Comments appreciated, as always. Jari Stephen
Re: Equably when it comes to privacy
Hi Joel, At 11:59 08-09-2013, joel jaeggli wrote: Should your tools, the contents of your mind, and the various effects and context of your personal communication become instruments of state-power? Because the tools we've built are certainly capable of that. Yes. That's not a good motivation to give up on privacy though. Regards, -sm
RE: pgp signing in van
There is no upside. By signing your mail you lose plausible deniability, remove legal doubt as to what you said... Lloyd Wood http://sat-net.com/L.Wood/ From: ietf-boun...@ietf.org [ietf-boun...@ietf.org] On Behalf Of Ted Lemon [ted.le...@nominum.com] Sent: 08 September 2013 22:50 To: Michael Richardson Cc: IETF discussion list Subject: Re: pgp signing in van On Sep 8, 2013, at 5:33 PM, Michael Richardson mcr+i...@sandelman.ca wrote: To all the people who posted to this thread about how they don't know what a PGP key signature means, and who did not PGP or S/MIME their email: What's the upside to signing my email? I know why I want everybody I know to sign my email, but what's the upside for me if I do it? Until there's a clear win, it's not going to happen.
Re: Equably when it comes to privacy
On 9/8/13 4:36 PM, SM wrote: Hi Joel, At 11:59 08-09-2013, joel jaeggli wrote: Should your tools, the contents of your mind, and the various effects and context of your personal communication become instruments of state-power? Because the tools we've built are certainly capable of that. Yes. That's not a good motivation to give up on privacy though. It is not. That said, the chickens are coming home to roost. Regards, -sm
thoughts on pervasive monitoring
Here are some thoughts on reports related to wide-spread monitoring and potential impacts on Internet standards, from me and Stephen Farrell: http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ Comments appreciated, as always. Jari Stephen