There are two issues
1) Requirements, how should this data be secured?
2) Technology, how can the requirements be met?
I totally agree that transport layer encryption is not enough here. The security requirement is end to end.
Proprietary products that meet that requirement do exist and the US agencies that do this work have the financial and technical means to deploy and use them and I have no problem with the idea of imposing a requirement on that group that requires them to pay for the tools.
However, it is not just the US agencies doing this work. There are now 117 cyber commands and there is a real problem of 'loose cyber-weapons'. It is to the interest of the US and to all the other cyber-commands that a norm is established that cyber weapons are secured end to end throughout their lifecyle and tools produced to enable that to be achieved.
Such tools do not currently exist. However some key patent expiries that have occurred and will be complete in November this year make true end to end data level encryption practical. I have proof of concept but short of infringing code running in the lab which I will push out as soon as I can together with the supporting specifications.
On Thu, Mar 9, 2017 at 4:02 PM, John C Klensin <john-ietf@xxxxxxx> wrote:
Jari,
Let me suggest one addition to your list (with which I otherwise
agree):
5. No matter how strong the in-transit encryption or other
measures, they doesn't mean much if the relevant endpoint hosts,
or intermediate hosts that have the traffic in the clear, can be
compromised. We all know that, but we seem to sometimes need
reminding. In particular, while it is definitely not an
argument against link encryption, we need to be cautious that we
are not protecting things in a way that inadvertently shifts the
points of vunerability from one place to another (especially
another that is either more easily compromised or that
constitutes larger and more concentrated single point of
failure) and then assume that it makes things more secure
overall.
best,
john
--On Thursday, March 9, 2017 22:36 +0200 Jari Arkko
<jari.arkko@xxxxxxxxx> wrote:
> Up-leveling a bit from the discussion of best practices for
> surveillance organisations and virus builders (who apparently
> are partly the same crowd). We can make some more general
> observations, I think, maybe a bit more relevant for the rest
> of us.
>
> I don't think the reported findings are particularly
> surprising. But they seem to support what I think we knew
> already:
>
> 1. Security isn't a single feature, but needs to be thought
> in terms of the whole. Comms security and devices and ...
>
> 2. There is no such thing as privileged access to the good
> guys. It will leak / break / be shared.
>
> 3. Secretly held vulnerabilities make us all less safe.
>
> 4. The security of our communications and applications matters
> a lot. Lives are at stake, not just your browsing history.
>
> Jari
>