Hello,
At 06:06 AM 06-11-2017, The IESG wrote:
The IESG has received a request from an individual submitter to consider the
following document: - 'Effect of Pervasive Encryption on Operators'
<draft-mm-wg-effect-encrypt-13.txt> as Informational RFC
The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@xxxxxxxx mailing lists by 2017-12-04. Exceptionally, comments may be
On reading the draft, I wondered whether the authors of the draft
have an opinion about "responsible encryption".
In Section 1.1:
"OS has been implemented as NULL Authentication with IPsec [RFC7619]
and there are a number of infrastructure use cases such as server
to server encryption, where this mode is deployed."
It is possible to find use cases of deployment. That does not mean
that it is always a good idea.
In Section 2:
"This and other increases in the use of encryption had the immediate
effect of helping protect the privacy of users' data, but created a
problem for some network management functions."
Is this about privacy or is it about a security loophole?
In Section 2.1.2:
"The ability to identify the problem application's traffic is
important and deep packet inspection (DPI) is often used for
this purpose."
Is debugging choppy video the main purpose of DPI? Why should
perversive surveillance software/hardware be used to debug application issues?
In Section 2.3:
"These regulations include Lawful Intercept, adherence to Codes of
Practice on content filtering, and application of court order filters."
Are the "Codes of Practices" part of regulations? Are there
references to those Codes of Practices?
In Section 3.2.2:
"STARTTLS ought have zero effect on anti-SPAM efforts for SMTP traffic."
I doubt that STARTTLS cause any significant problem as the receiver
has the ability to inspect emails.
In Section 4.1.1:
"detect and defend against Internet DDoS attacks, including both
volumetric and layer 7 attacks."
Does the IETF use the OSI layer (re. layer 7)?
As an overall comment, there are many uses of "many" in the
document. I read the entire document. I understand that the authors
may have put a lot of effort in this work. However, I preferred to
reduce the effort as it was a bit tedious to do a detailed
review. The title of the document is "Effect of Pervasive Encryption
on Operators". Is this document about making the case against RFC 7258?
Regards,
S. Moonesamy