RE: Security for various IETF services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"That is worrying, because it seems that you are intent on
encumbering transactions, without requiring a case by
case study of the threat model, and applying a security
and privacy model that is appropriate to the specific
transaction."

yes. not coincidentally, that's EXACTLY what Stephen
encouraged in DTNRG, starting with MD5-is-ALWAYS-bad
and working up to the-security-model-is-everything. As
opposed to the needs of the networking scenario.

we had the perpass debate, and here we go again.
Well, you've been warned.

Lloyd Wood
http://sat-net.com/L.Wood/dtn
________________________________________
From: ietf [ietf-bounces@xxxxxxxx] On Behalf Of Stewart Bryant (stbryant) [stbryant@xxxxxxxxx]
Sent: 05 April 2014 09:50
To: Stephen Farrell
Cc: IETF-Discussion; The IESG
Subject: Re: Security for various IETF services

>>
>> "The IETF are committed to providing secure and privacy
>> friendly access to information via the web, mail, jabber
>> and other services.

Please confirm that "friendly" implies that the user gets to
choose the degree of security privacy that they consider
appropriate, and that their applications and devices are not
encumbered  with the overheads unless they choose to invoke
the privacy and security mechanisms.


>> While most (but not all) data on IETF
>> services is public, nonetheless access to that data
>> should use best practices for security and privacy.

I agree, but please can you clarify your interpretation
of "best practise" so that we can understand how
liberal or prescriptive this is?

>> However, as there are numerous legacy tools that have been
>> built that require access via cleartext, the IETF will
>> continue to allow such access so as not to break such
>> tooling. New services will however generally only be made
>> available in ways that use security protocols such as
>> TLS."
>>

That is worrying, because it seems that you are intent on
encumbering transactions, without requiring a case by
case study of the threat model, and applying a security
and privacy model that is appropriate to the specific
transaction.

Stewart.






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]