On 06.09.2013 13:30, Stewart Bryant wrote:
Tell me what the IETF could be doing that it isn't already doing.
It really depends where you see the boundaries of the IETF.
For some the IETF only produces documents and that's it. Clearly, we
have a lot of specification work ongoing in different areas that helps
to mitigate various security vulnerabilities. This ranges from recent
work on XMPP end-to-end security (as in
http://tools.ietf.org/html/draft-miller-3923bis-02) all the way to the
recent RTCWEB discussions on using DTLS-SRTP as a key management protocol.
For other folks the IETF does much more, such as to reach out to those
deploying our technology. Many folks involved in the IETF community
produce open source code, write article in popular computer magazines
explaining how to use the technology, give presentations at various
conferences, teach at universities and research institutes, provide
consulting, etc. The list is long.
It is obviously easier to write (security) documents but somewhat more
complex to get them widely deployed. Example: TLS everywhere, DNSSEC,
email security, routing security, etc.
While we are able to fill gaps in security protocols fairly quickly we
don't always seem to make the right choices because the interests of
various participants are not necessarily aligned. In general, we seem to
develop an insecure version and a secure version of a protocol.
Unfortunately, the insecure version gets widely deployed and we have an
incredible hard time to introduce the secure version.
In addition to the specification work we could think about how to reach
out to the broader Internet ecosystem a bit better. Since we have lots
of folks in the IETF I don't think it is an impossible task but it might
require a bit of coordination. Right now would be a good time to launch
some of those initiatives since most people currently understand the
need for security.
Ciao
Hannes