Hi, I would suggest that this document is pretty close to ready, but not quite ready. The language/tone and some of the content of the report really needs a lot of tightening up, and the record is not entirely accurate. Here are a few "for instances". Regarding hotel networking, the draft states: “It seems some protocol is missing in this case.” The presentation given was all about the challenges of how protocols like WISPR rely upon clear text. The problem is that the portal can't intercept HTTP and pose the question to the user without a security warning popping up (if it works at all). The whole point was that in the face of encryption a mechanism is needed to authorize users onto such networks, and that is what should be stated. In on-by-default we discussed, for instance, a more nuanced approach where there might be some protocols where it would be absolutely the case that one would never want unencrypted traffic (SCIM was an example), and others where some of the challenges of encryption would make it not worthwhile (we discussed discovery protocols, as I recall). That was to be part of follow-on work (part of the draft that was mentioned). Another example, “Hopefully, they supervise their security better than...” Either they do or they don't. But the phrasing of that is a bit off. And I'm not entirely sure what "supervise their security" means, but I do know what "expending effort in securing their offering" means. On this statement: Lack of interoperability between systems is in itself a threat as it leads to work-arounds and compromises that may be less secure. It's not lack of interoperability that's the threat but poorly thought out workarounds. In the cyberinsurance market it is interoperability that is the threat (not the lack thereof) because it increases the risk of a catastrophic loss. The whole tie-in to epidemiological modeling and cybersecurity is based on this fact (one of our luminaries was notoriously fired from a company when he pointed out the risks of a monoculture which is inherently interoperable (he's still around- they're not ;-)). I'll stop there for now, but really the report could use more a few more eyes. Eliot On 6/3/15 8:30 PM, IAB Chair wrote:
Dear colleagues, This is an announcement of an IETF-wide Call for Comment on draft-iab-strint-report-02.txt. The document is being considered for publication as an Informational RFC within the IAB stream, and is available for inspection here: https://www.ietf.org/id/draft-iab-strint-report-02.txt The Call for Comment will last until 2015-07-01. Please send comments to iab@xxxxxxx. Best regards, Andrew Sullivan IAB chair On behalf of the IAB |
Attachment:
signature.asc
Description: OpenPGP digital signature