On 12/17/2020 7:02 PM, Fernando Gont wrote:
Joe,
I think we have gone through this before. Folks (including you) raise
objections. I note that the claim has no basis or ask a question which
clearly shows the objection has no basis, and they omit the question,
stop responding, or switch to something else.
Or they consider that they have made their point, and don't want to read
through lengthy repetitions of the same counter-argument. Silence does
not mean assent.
To be clear, the point is not that security risks should be ignored.
Nobody is saying that. The point is that the proper way to conduct risk
analysis is by looking at attack areas such as information disclosure,
risks of spoofing, etc. These analyses will vary depending on
circumstances, and the responses are not always the same. They are
definitely not the same for information inside and outside the
encryption envelope. They are also not the same for all parameters in a
system. To give an example, consider the stream offset indicating the
position of the message bytes in a file. Randomizing that would be
ridiculous.
Analysis of weaknesses is good. Prescription of one-size-fit-all
remedies, on the other hand, does more harm than good.
-- Christian Huitema
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
