On 01/06/15 23:41, Roland Dobbins wrote: > > On 2 Jun 2015, at 4:27, Paul Wouters wrote: > >> We had to cater to governments banning encryption for its users, and >> we now see what that got them. > > They just go around the encryption and compromise the endpoints. > They're *governments*, so they have the resources to do that (not > debating whether or not they should, just stating observed fact). The proposed statement itself quotes two apparent counter examples where (allegedly:-) governments used man on the side attacks and at apparently significant scale. > > Also, universal or near-universal encryption is a serious problem in > terms of detection, classification, traceback, and mitigation of > application-layer DDoS attacks. It drastically limits the scaling > capacity of defenders, and results in even more cost asymmetry between > defenders and attackers (in favor of the attackers). Please contribute concrete text on the technical details of that to [1]. We do need to document the changes (including downsides) caused by encrypting more. Text is very welcome for that. (Best sent to saag@xxxxxxxx or the authors.) [1] https://tools.ietf.org/html/draft-mm-wg-effect-encrypt > > My guess is that those who make bold, sweeping statements about how > everything ought to be encrypted all the time are rarely those who have > to deal with the unintended consequences of overencryption. I hope that this discussion doesn't go down the purely distracting rathole of statements like "everything ought to be encrypted all the time" - that is as related to this statement as pixie dust security solutions are to reality, regardless of what position one adopts in relation to encryption. That said, I suppose it's inevitable that this discussion at least looks at the top of that rathole;-) I do hope it's a passing glance only though. > > In the final analysis, there are no technical solutions for social ills. > The entire issue of unwanted surveillance by government entities is a > social and political problem; it seems pretty clear that since the > social/political side of things aren't proving to be easily resolved, > that some folks are advocating doing *something*, *anything*, > irrespective of whether it will actually make a positive impact on the > conditions to which they object and without regard to the non-trivial > side-effects of what they're advocating. > > The IESG and the IETF in general should concentrate on technical issues, > and work on solving social and political problems should take place in > other, more appropriate appropriate fora, IMHO. I don't see how that corresponds to the proposed IESG statement at all. S. > > ----------------------------------- > Roland Dobbins <rdobbins@xxxxxxxxx> > > >