On Sun, Dec 8, 2013 at 3:34 PM, Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote:
MTI security is what's called for by BCP 61. Sometimes the MTI
On 12/08/2013 05:56 AM, l.wood@xxxxxxxxxxxx wrote:
> Stephen,
>
> I've no idea what you think you mean when you say 'moving beyond
> mandatory to implement'. My take is that encryption should never be
> mandatory to implement.
security for a protocol will involve confidentiality, other
times (e.g. routing protocols) it has tended not to. So your
"take" is at odds with long standing IETF BCPs.
Traditionally the IETF has considered security to be end-to-end security or nothing. Protecting against meta-data and traffic analysis attacks has been considered to be too hard and too little return on investment.
Whether or not we agreed with the past status quo (I did not), it was a product of the constraints and security requirements that existed pre-Snowden. One of the effects of Snowden is that there are more people willing to commit more resources to solving security problems. So even if you are not surprised by the Snowden releases, the fact that the knowledge is out there changes what is possible.
Before Snowden I thought that any attempt to deploy end-to-end email security was futile. After Snowden I think that we have another chance. Which is rather strange given that it is not a protection against meta or traffic analysis. But that is just a consequence of the fact that I can build on twenty years of work and a ten year base of deployed code that is 95% right.
Website: http://hallambaker.com/