Lloyd, I share many of your concerns, especially in light of the fact that security ADs have had a dodgy record in the past. In my opinion, there is considerably more work to be done on the threat analysis that has been ably begun by Brian & co. Discussion and development of our understanding of the problem space is what I believe is called for. If this draft has that effect, it has served a useful purpose. If, on the other hand, developers of a specification discussed the matter in earnest and there was consensus on the way forward, even if some pervasive threats were not eliminated, and if that work is held up by claims relating to this draft, then this draft will have caused harm. That is nothing more or less than common sense. As to whether this draft is political, I don't think it can be stressed enough that if one group of people can subvert our architecture, others can as well. Our political statement, such as it is, is that in order to maintain confidence in the Internet, our protocol suite should be resistant to this sort of thing, but within the bounds of pragmatism. Eliot > On Jan 1, 2014, at 6:08 AM, "l.wood@xxxxxxxxxxxx" <l.wood@xxxxxxxxxxxx> wrote: > > what it means for work moving through the IETF process > is that any work becomes subject to security veto. > > if security types don't like your work - tough. it's > going nowhere. draft-farrell really widens that scope. > and this is going to mean arguments about > much more than the tradeoffs of using MD5. > > for a self-described technical organisation that > does not make policy pronouncements (which is > itself a very political position, but never mind) > this draft is awfully political. > > Lloyd Wood > http://about.me/lloydwood > ________________________________________ > From: ietf [ietf-bounces@xxxxxxxx] On Behalf Of Melinda Shore [melinda.shore@xxxxxxxxx] > Sent: 01 January 2014 05:38 > To: ietf@xxxxxxxx > Subject: Re: Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice > >> On 12/31/13 3:23 PM, Dave Crocker wrote: >> We should not approve an IETF policy statement >> until we have a good idea of the way we will use it. > > I think this is a critical point and I agree quite strongly > with it. I've mostly been baffled by the IETF response to > revelations about internet eavesdropping, to be honest, > and it's struck me that work on some of the problems that > need to be solved to provide better privacy guarantees (for > example, fixing PKI and providing better keying) have been > pushed to a back burner in a scramble to make grandiose > pronouncements. It's not that draft-farrell is a bad > document on its own merits, it's just that I cannot for > the life of me understand what it specifically means for > work moving through the IETF process. > > Melinda >