At 20:32 05-09-2013, Vinayak Hegde wrote:
While it is nice to do a dedication of this meeting to the SA
surveillance, I do not see us solving any issue here. It is merely a
"feel-good" measure without real impact.
:-)
Second, technology can never fix what is essentially a political
problem. for eg. We mandate strong security protocols and end-to-end
encryption in HTTP(S) by default. Lets
In a Last Call comment a few months ago it was mentioned that a
specification takes the stance that security is an optional
feature. I once watched a Security Area Director spend thirty
minutes trying to explain to a working group that security feature
should be implemented. If I recall correctly the working group was
unconvinced.
Would the community raise it as an issue during a Last Call if a
proposed protocol did not have strong security features? It's up to
the reader to determine the answer to that.
assume all browsers implement this and do this perfectly without
software flaws. All the NSA has to do is to compromise the other
endpoint (controlled by ACME major corp). ACME gives over the
encryption keys and access to all the unencrypted data to the NSA. So now
Yes.
what are we going to do. The IETF can make an political statement
by taking a stand but that may mean nothing in reality when the
laws are weak. Another example is when you have
Taking a stand that means nothing is a feel-good measure.
encrypted your drive and do not want to hand over the keys as it
has some personal (and possibly incriminating evidence). In several
countries you can be held in jail indefinitely (with obvious
renewals of sentences) until you hand the keys over[1]. So in
summary, technology cannot solve political and legal issues. At
best it can make it harder. But in this case maybe not even that.
The IETF outlook does not apply in several countries. The IETF does
not seem to pay much attention to that details (re. hand the
keys). It's not clear what the emergency is. Phillip Hallam-Baker
and Brian Carpenter already mentioned that it's not like this is a surprise.
According to a news article key architects of the Internet plan to
fight back by drawing a plan to defend against state-sponsored
surveillance. Anyway, if someone really wanted to call for an
emergency response the person would have sent it to an IETF mailing list.
At 20:08 05-09-2013, Ted Lemon wrote:
I think we all knew NSA was collecting the data. Why didn't we do
something about it sooner? Wasn't it an emergency when the PATRIOT
act was passed? We certainly thought it was an emergency back in
the days of Skipjack, but then they convinced us we'd won. Turns
out they just went around us.
I would describe it as a scuffle instead of a battle. My guess is
that the IETF did not do anything sooner as nobody knows what to do,
or it may be that the IETF has become conservative and it does not
pay attention to the minority report.
At 23:04 05-09-2013, Jari Arkko wrote:
I think we should seize this opportunity to take a hard look at what
we can do better.
:-)
And please do not think about all this just in terms of the recent
revelations. The
That's an interesting perspective.
security in the Internet is still a challenge, and if there are
improvements they will be generally useful for many reasons and for
many years to come. Perhaps this year's discussions are our ticket
to motivate the world to move from "by default insecure"
communications to "by default secure". Publicity and motivation are
important, too.
Yes.
Regards,
-sm