Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Sep 15, 2013 at 9:10 AM, Tobias Gondrom <tobias.gondrom@xxxxxxxxxxx> wrote:
On 09/09/13 09:29, Eliot Lear wrote:
We're talking.

Eliot


On 9/9/13 10:20 AM, Ross Finlayson wrote:

So, has Bruce Schneier actually been invited to speak at the Technical Plenary (or elsewhere) during the Vancouver IETF?  I recall him giving an informative talk at least one previous Tech Plenary, and in light of his 'proposal', if would be interesting to hear what he believes to be broken, and what the IETF might be able to do to help fix it.

	Ross.





    

    


      A small comment: actually I would like to (read: expect to) read
      what he (and others) believe to be broken _before_ the next
      Plenary and giving a speak there. And as specific and constructive
      as possible. That way we will be much more effective talking about
      issues at the plenary and starting stuff at WGs. 

Quite, pointing out what is broken is exactly the type of contribution Schneier could make. He is very good at spotting holes in security schemes. I must say I am a little annoyed by his approach. He could deign to post on the IETF lists himself rather than give oracular statements and then take the credit.



Security is all about risk mitigation, not risk elimination, as I argued to Bruce in the wake of his 15 risks of PKI article before he wrote Secrets and Lies. Security design means tradeoffs and designing to mitigate the chief risks. Unlike generals who can spend millions of tax payer dollars making their operations room look like the bridge of the Enterprise, I have to consider resources.



We do have several areas where we could make significant advances however:

1) Technical improvements to TLS such as recommending sites turn on PFS by default and remove weak ciphers. 



2) Stop sending authentication cookies in the clear whether or not they are sent inside an encrypted tunnel. 

http://tools.ietf.org/html/draft-hallambaker-httpsession-01



3) Fix the missing 5% that stops people using secure email. We have PGP that has mindshare and S/MIME that has deployment and both are too much trouble for most IETF people to use, let alone the typical Internet user. We can and should fix that.




Phill

 

-- 
Website: http://hallambaker.com/






















[Index of Archives]
 
 
[IETF Annoucements]
 
 
[IETF]
 
 
[IP Storage]
 
 
[Yosemite News]
 
 
[Linux SCTP]
 
 
[Linux Newbies]
 
 
[Fedora Users]