-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
After looking through the agenda and thinking about end to end
confidentiality mechanisms, a few questions/suggestions:
(1) Other than a probably-appropriate level of general paranoia,
do we have
any reason to believe that PGP (Symantec and/or GNUPG versions)
has been
sufficiently compromised to not provide a good defense against
either
pervasive surveillance or general snooping?
(2) If the answer is "no, they are probably ok" or better,
should we be
doing a key signing in London? That would facilitate longer
keys for those
who would benefit from that and getting the facilities more
generally
available to relative newcomers [1].
(3) If the answer is "yes, they have to be treated with great
suspicion",
they why are there not BOFs or other sessions on the agenda to
consider
whether the IETF standards should be upgraded or, if that is not
feasible,
deprecated?
(4) If we are going to do a key signing, would there be enough
interest in
signing of CACERT X.509 keys to see if there are enough people
with the
right credentials who will be in London to certify those too (in
spite of
the non-presence of the CACERT root keys in various browsers,
etc.)?
If we are really serious about preventing monitoring, especially
at the
application layer and doing so within our own community as an
example, this
should be obvious. Indeed, it might be interesting as a first
step to fix
the IETF list so it wouldn't accept unsigned messages.
Conversely, if it
is not obvious, maybe we are not really that serious.
best,
john
[1] Some people will sign PGP keys on the basis of documents
(like
passports) alone, others won't. But, even if most people won't,
it has
been a sufficiently long time since we've done a key-signing at
IETF that I
imagine there are a number of no-longer-newcomers around who
might benefit
and who are reasonably well known to others .
-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8
wj8DBQFS7YCK5pJ/EbOJ8NoRAku9AJ9hDPLM7pUN8FbhcTWcq9Ipx42qDACdFSLW
Nfly1Cdbie7k7ANPxuRZtA0=
=ft5+
-----END PGP SIGNATURE-----