On 09/10/2013 09:12 AM, t.p. wrote: > It is a shame that this opportunity was not taken to highlight the need > for authentication. Having a totally secure channel with perfect > encryption is of little value if the other end of the channel is a > hostile power. True. But if strong authentication at Internet scale is so hard that people fall back to cleartext then that's worse. Strong authentication can also in some cases expose identifiers where you wouldn't otherwise need to, which is not the best thing from a privacy perspective. So for at least some of what's recently reported, it seems to me that there is value in exploring whether opportunistic encryption is worthwhile, maybe for cases where we don't yet have strong authentication schemes that are privacy friendly and that are deployable at Internet scale. But yes, we also need to worry about strong authentication and making that easier/better. I'd be happy to see folks working on this from both approaches - making strong authentication easier/better but also taking the approach of seeing whether and when opportunistic encryption adds value. I would not be happy if we dive into either one while ignoring the other. S. > > RFC3365, which you cite, gets in right (of course!). It lists three > requirements and top of the list - Authentication service. It may of > course be that the author was only putting the requirements in > alphabetic order but whatever the reason, the emphasis is appropriate. > > Tom Petch > > ----- Original Message ----- > From: "IETF Chair" <chair@xxxxxxxx> > To: <ietf@xxxxxxxx>; <ietf-announce@xxxxxxxx> > Sent: Sunday, September 08, 2013 10:53 PM > > > > Here are some thoughts on reports related to wide-spread monitoring and > potential impacts on Internet standards, from me and Stephen Farrell: > > http://www.ietf.org/blog/2013/09/security-and-pervasive-monitoring/ > > Comments appreciated, as always. > > Jari & Stephen > > > > >