Hi, Can folks please stop cross-posting this to the HTTPbis WG? I'm sure we'll become aware of any relevant outcome of the discussion, and interested folks can join over on perpass. Thanks, On 5 Dec 2013, at 5:38 am, Hannes Tschofenig <Hannes.Tschofenig@xxxxxxx> wrote: > Hi Lloyd, > > On 12/04/2013 10:55 PM, l.wood@xxxxxxxxxxxx wrote: >> I see you ignore the DRM point. > > I don't understand your DRM point to be honest. It also does not seem to > be relevant to this conversation. DRM standards have not been been > developed in the IETF either. > > draft-farrell-perpass-attack-00 does not specific solutions (which it > states in the document). > > If your argument is that security adds complexity to protocols then > that's certainly true. The other option would be not to have security in > protocols at all to make them "more lightweight". Do you seriously think > that this is useful option (even before the NSA revelations)? > > If your argument is that security problems on the Internet should be > solved via legal / regulatory ways then please go ahead an make these > proposals. Obviously, the IETF would be the wrong forum to do that. I am > sure the European Commission, for example, is interested to listen to > your proposals and will immediately issue new proposals for regulation. > It would be great if those you think that there are regulatory solutions > would in fact then work on those rather than just having technically > minded people who push problems around. > > If your argument is aging cryptographic algorithms require software to > be updated then let me tell you that software gets updated even for > functionality reasons. Do you think that all the software updates you > get for you smart phone apps are only security fixes? There are, > however, many software updates that relate to security vulnerabilities. > My approach would, however, be to incorporate software update mechanisms > into products (which is what pretty everyone in the industry seems to be > doing) instead. While this is largely a non-IETF issue it would still be > interesting to hear whether you have other suggestions. > > Your suggestions to do more interoperability testing sounds reasonable > to me. I have been involved in interoperability tests myself (and even > organized a few). Those tend to have a different focus, namely to > provide feedback about whether the implementations interpreted the specs > correctly. Penetration testing is what you would typically do to > discover security vulnerabilities. We typically don't do those (at least > not that I have heard). As such, I would rather seen them as a > orthogonal effort (which many in the IETF are involved in already > anyway). Are you suggesting that we should also do penetration testing? > > Please also note that "security" is not a monolithic block, as you can > see from RFC 3552. In various discussions with you I got the impression > that you dislike security in general. That can hardly be true since I am > sure you like some of the security features in there as well. For > example, you might find authentication a pretty cool concept to avoid > others accessing your email account. > > Ciao > Hannes > -- Mark Nottingham http://www.mnot.net/