Re: https at ietf.org

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




If people can tamper with the process without traceability, is the process open?

In order to be sure that you’ve produced an open result, should the activities of the process happen in secret?  What assurance would that give you in the result?  If the process is completely without merit - then what difference is it how (or if) someone might get the result?

Encrypting the process of getting the result is only working on the very last piece of the issue - isn’t it?  What use would that be without doing the other work to make the process trustable and robust?

HTTPS conveys to me that I have some level of trust in that I am communicating with the service I intended.  (I’m ignoring, completely that not all CA’s are equal and that DNS might completely lie to me along the way.)  That, for me at least, doesn’t necessarily create trust in the “product” of the service.

I buy crappy stuff from Amazon all the time, I’m just attempting to achieve that (1) it’s a little difficult to steal my credit card # (2) Amazon is forced to comply with PCI by the credit card processing companies.  The thing I order from Amazon may still be a total piece of junk.


HTTPS protects a user (presumably) from someone knowing which standard that downloaded or which mailing list archive they might have read.  If there is pervasive passive monitoring, it doesn’t protect them from being recognized as having gone to IETF.  And if you really have enough passive monitoring - determining which standard gets downloaded might be possible too, watch for the traffic spike, and check the size.  (It’s really easy for those reading NFS :) .)  Because the passive monitor can get all the standards too, and know their size just as well.


--
Chris Inacio
inacio@xxxxxxxx



On Nov 7, 2013, at 9:33 AM, Noel Chiappa <jnc@xxxxxxxxxxxxxxxxxxx> wrote:

>> From: Chris Inacio <inacio@xxxxxxxx>
> 
>> To that effect, if we're really serious about this stuff, shouldn't
>> we want all email on the lists signed as well?
> 
> ?? That would provide authentication. I thought the issue on the table was
> privacy?
> 
> 	Noel






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]