I think that many people in the security world and rather more outside it are repeating a big mistake we made during the cryptowars of the 1990s here. During the cryptowars, designing protocols to make them 'Freeh-proof' became a priority. It was certainly a bigger priority than making them usable by ordinary people. Case in point, insisting on deploying S/MIME and PGP as pure end-to-end security protocols to remove the possibility of interception at the server. This is the architecture that you need to defeat interception at the server but it comes at the cost of having to push out credentials to all the end points. So fewer than 0.01% of users ever enroll for an end user credential, fewer use them. Meanwhile we have a major problem with spam and social engineering attacks, both of which exploit the lack of authentication in the email system. The risk we face here is that people dismiss trustworthy computing in the same way for no other reason than to spite the RIAA. Security responds badly to political mandates, particularly the mandate 'don't make the system too secure'. There are real problems in using trustworthy computing for copyright enforcement systems. Any system that depends on protecting the confidentiality of decryption keys that are embedded in a couple of billion end points is going to have limited effectiveness. But that fact says nothing about the practicality of protecting secrets that are only deployed out to a few thousand end points that are subect to regular and effective control. I'll continue on my personal (not corporate) blog: http://dotfuturemanifesto.blogspot.com/2008/02/dont-make-it-too-secure.h tml -----Original Message----- From: Theodore Tso [mailto:tytso@xxxxxxx] Sent: Monday, February 18, 2008 7:58 PM To: Hallam-Baker, Phillip Cc: Christian Huitema; Spencer Dawkins; Iljitsch van Beijnum; michael.dillon@xxxxxx; ietf@xxxxxxxx Subject: Re: IPv6 NAT? On Mon, Feb 18, 2008 at 03:34:50PM -0800, Hallam-Baker, Phillip wrote: > In the scenario I gave, the data I wish to stop the kids accessing is > already on my network, net nanny is totally useless in this instance. > Let us imagine that I have a configuration that consists of one Vista > machine and one Home Server on which there is stored a collection of > ripped DVDs of video nasties, you know The Sound of Music, Care Bears > Movie etc. some of the nastiest films I have seen. I do not with the > kids tastes to be corrupted by this rubbish. Heh. From the Capitol Step's, "All I Want For Christmas Is A Tax Increase" album: http://www.amazon.com/gp/music/wma-pop-up/B000003JOO001001/ref=mu_sam_wm a_001_001 > Security cannot be effective when it is provided in the form of a DIY > assembly required project. But thats what the field has been doing. I'm afraid it's worse than that. As long as we provide general purpose computers, and some insiders that are determined to bring home databases filled with SSN so they can do work in the evenings, or children who know more about computers than their parents and who are determined download videos of "Barney does Dallas", I'd claim is pretty much impossible to solve the particular security problem which you are worried about. And I'm not sure people are really willing to accept computers with the sorts of controls that would prevent these sorts of attacks on data. Look at the resistence to Microsoft's Palladium project by people such as Ross Anderson. (http://www.cl.cam.ac.uk/%7Erja14/tcpa-faq.html) Most consumers are far more focused on the sorts of abuse that could be perpetrated by Hollywood, the Music Industry, and Microsoft, rather than problems with databases filled with US Military personnel's credit information getting stolen out of unsecured laptops of incompentent government bureaucrats. One could have a debate about whether this is a correct assessment of risks by the consumer and by organizations like EFF and EPIC, but it's reality that won't be easily changed. In any case, this is a bit of a rathole from the original discussion, I suspect.... - Ted _______________________________________________ Ietf@xxxxxxxx http://www.ietf.org/mailman/listinfo/ietf