Subject: Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA Date: Fri, Sep 06, 2013 at 09:04:41AM +0300 Quoting Jari Arkko (jari.arkko@xxxxxxxxx): > I think we should seize this opportunity to take a hard look at what we can do better. Yes, it is completely correct that this is only partially a technical problem, and that there is a lot of technology that, if used, would help. And that technical issues outside IETF space, like endpoint security, or the properties of specific products or implements affects the end result in major ways. And that no amount of communication security helps you if you do not the guy at the other end. > > But it is also obvious to me that we do not have a situation where everything that could be done has been done. I think we can do more. Some examples: > > * we're having a discussion in http 2.0 work whether encryption should be mandatory Given the relative impact of http I think that this is the most important of your suggestions. Frankly, I do not think it is sensible to block mandatory crypto in http 2.0. However, I think it is also important to look at how we handle the key distribution problem. The traditional X.509 model has repeatedly been shown to be extremely vulnerable to bad management and directed attacks. Further, the dependency on relatively few root CA instances and the lack of domain name scope limitations makes an attack on said CA not only likely but also most rewarding to the attacker. I do think that more distributed technoligies like DANE play an important rôle here. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Like I always say -- nothing can beat the BRATWURST here in DUSSELDORF!!
Attachment:
signature.asc
Description: Digital signature