On 20-jul-2005, at 19:41, Hallam-Baker, Phillip wrote:
The number of arrests per capita and the toital number of arrests in
several countries outstrips the US.
Well, since the number of countries in the world is counted in triple
digits, it's highly unlikely that the US is at the top of pretty much
_any_ list. I'd be more interested to learn the differences between
the US and comparable countries.
However, I immediately believe that US law enforcement isn't doing
all it could in this area.
How can you secure a communication channel against crime in general?
Accountability.
If by accountability you mean "making it impossible for the bad guys
to hide" then I have to disagree. IP already has a fairly high degree
of accountability by virtue of the IP address. Any time an attacker
engages in bidirectional communication it should be possible to find
him. However, the problem is that the world is a big place with many
different laws. So accountability in the sense that when someone does
something bad she has to pay the consequences isn't likely in the
forseeable future, assuming a global internet like we have today.
If you expect the IETF to stop pensioner savings stealing, you're
setting yourself up for a big disappointment.
I expect that whatever body leads Internet standards making will be
doing all it can to stop Internet criminals from stealing pensioners
life savings.
Well, that's an interesting idea. Don't we have law enforcement, the
same people we were both bashing at the beginning of the message, to
do this? Can the IETF in fact do this? Should it want to?
SSL is far from perfect, but I wouldn't say it's shelfware. It allows
consenting hosts to secure themselves against men in the middle and
eavesdroppers without aid from the network. E2e in its purest form,
I'd say.
Actually it's a transport layer security mechanism. It does not
provide
end to end integrity guarantees, non-repudiation or any of the other
silly requirements I and others tried to impose on the HTTP security
mechanism in the mid 90s.
Like I said, it isn't perfect.
More email is encrypted using SSL than any other technique. But it is
only transport encryption, the message is en-clair on the mail server
and is decrypted and re-encrypted for every message hop.
I agree, SSL for SMTP isn't very useful except to show law
enforcement types that they have to work a bit harder than simply run
tcpdump on the wire that connects to the big mail server. But that's
what you get for running prehistoric store-and-forward protocols.
However, for applications such as ecommorce over the web, where SSL
can indeed be deployed end-to-end, it's an unqualified success.
As for better security on the internet: in my opinion, the biggest
problem we have today is that a receiver is forced to receive
whatever anyone else connected to the network sees fit to transmit.
In some areas, such as email, accountability can help, but in others,
such as DDoS, this won't make a difference. What we need here is ways
for customers to have their ISPs reject unwanted traffic, while
"good" traffic is allowed through. One way to do this would be for
the ISP to do proxy IPsec AH verification. If the intended
destination gives out keys that are tied to the source address, only
"good" source addresses can generate the right HMACs and DDoS is a
thing of the past. (Well, if you have enough 10Gbps line rate crypto
line cards and there are of course some details to work out such as
distributing the keys and revoking compromised ones.)
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf