---- Original Message ----- From: "Melinda Shore" <melinda.shore@xxxxxxxxx> To: "Ted Lemon" <ted.lemon@xxxxxxxxxxx> Cc: "IETF Discussion" <ietf@xxxxxxxx> Sent: Thursday, January 02, 2014 3:39 AM > On 1/1/14 6:11 PM, Ted Lemon wrote: > > On Jan 1, 2014, at 6:07 PM, Melinda Shore <melinda.shore@xxxxxxxxx> > > wrote: <snip> > > One of the reasons I'm somewhat annoyed about the wave of > gasbaggery and pontification that has followed truly disturbing > revelations about the extent to which the US government has > undermined privacy and compromised security technologies is > that work which might have helped provide tools to mitigate > some of the soft spots in IETF work has been backburnered in > favor of no small amount of unfocused grandiosity that doesn't > actually change much. Melinda I note your explicit reference to the US government. I note, too, recent postings (e.g. on the TLS and UTA lists) which cast doubt on the integrity of the (American) NSA which, in turn, reminds me that I see the USA as a country of small government (starting with the Founding Fathers), something to be distrusted, subverted even, and I think that that is colo(u)ring this discussion (whether or not the proponents of this I-D are American citizens). Elsewhere, I believe that governments are more trusted, so when the head of a (non-American) national security agency says that the world is now a more dangerous place, that successful terrorist attacks are more likely because of recent revelations, then that consideration, of personal security, outweighs my concern that someone is reading my messages to, say, a secret lover. I have been close to terrorist attacks - doubtless some on this list have been directly affected by them - and while I see them as probability low/impact high, I am more concerned about that risk than that of the state seeing something I would rather it did not. And, as I said before, if there is any breach of privacy that concerns me, and again it is one that I see echoed in the national media, it is that of the assembling of personal profiles by large, quasi-monopolistic websites, something which the aspirations of this I-D would seem to make more likely. Tom Petch > At any rate this draft is not RFC3552. 3552 provides very specific > guidelines for what needs to be considered in > writing^H^H^H^H^H^H^H^Hreviewing security considerations. > > It is tempting to just let this through last call in hopes that > once it's done we can come back around to prioritizing work like > fixing PKI but I'd be very sorry indeed to see this published as a > BCP. > > Melinda >