On 4/3/2014 5:26 PM, Brian E Carpenter wrote:
I think we need to distinguish various
quite separate issues. Off the top of my head, I can see:
What I like most about Brian's list is that it seeks to gain some
discipline an clarity about what might be done and why. As Ned's
responses shows, this requires even more clarity and -- depending on
what answers we give -- different difficulty.
On 4/3/2014 5:29 PM, Randy Bush wrote:
> because we blew it way back when, by designing a completely insecure
> and un-private internet. as supposedly responsible and occasionally
> competent engineers, we should rectify our mistakes.
This promotes a collection of popular myths which both give a false
history and a false (and counter-productively distracting) present.
The presumption that 'security' was ignored "way back" is simply wrong.
Both in the 70s and again in the 90s, security issues were given
attention. In the 70s, the primary answer was encryption boxes, for
those special cases deem to need them. In terms of the technology of
the day, when combined with the nature of the scale and use of the
Arpanet and eventually Internet, that was a reasonable choice.
In the 90s, we got PEM, PGP, S/MIME and the beginnings of DNSSec.
The experience of the 90s nicely highlights the problem with the second
myth, that we merely needed to 'decide' to do 'security'. As the
increasing list of problematic security-related efforts over the last 25
years demonstrate, doing 'security' for Internet scale and diversity is
a challenge, often appearing to be beyond the state of the art.
Note how little DNSSec we still have. Note how little PGP and S/MIME
use we still have. All three of those were diligent, reasonable design
efforts. Yet their deployment and use remains problematic.
Added to this is that the word 'security' is almost completely
meaningless in technical terms. For most technical discussions, it's so
vague there's no way to know what specific problems are of concern or
what functions are intended.
So please, let's focus on the kind of disciplined, targeted effort that
Brian is promoting to consider needs and solutions, and move away from
mythology.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net