On Fri, Mar 20, 2020 at 10:57:31AM +0000, Wout de Natris <denatrisconsult@xxxxxxxxxx> wrote a message of 238 lines which said: > The topic of choice became deployment of internet standards: > e.g. DNSSEC, RPKI and BCP38, but also the OWASP top 10, ISO 27001 > and secure software; Yes, the choice of ISO 27001 is strange. It is not an "Internet standard" in any way, and it is just a set of bureaucratic rules, without relationship with actual security. > Others involve people with knowledge, i.e. your community, to assist > in translating new standards into layman's speech and in > dissemination to non-technical communities. Many IETF participants already do it. The report contains zero idea on how to do it better or more broadly. (The fact that the report does not mention that outreach must be done in the local language is a weakness.) But the report has other weaknesses: * there are several unsubstantiated claims such as "some standards, e.g. DNSSEC, may not have been thought through sufficiently". But there is no detail: which problems do you see with DNSSEC? How to improve it? IETF would like to create a 4033-bis with problems fixed. * the report uses the very common narrative "The protocols or internet standards, in other words were created without security in mind. At best it was considered, after which it was decided security would not be a priority. All the standards that are discussed here can in a way be seen as digital band aids, fixing what only in hindsight was flawed." I suggest that you read RFC 5218 for a good criticism of the cliché "protocole should be designed with security in mind". Even now, with the knowledge we have, designing secure systems is hard. * the report keeps to the very outdated claim that there are two sort of standards, official ones and the others. It even pretends that ISO is more "official". That's not true. Except for the rare cases where a law mandates such or such standard (which is not the case of ISO 27001, at least in my country), whether a standard is issued by IETF, W3C, ISO or whatever, it is a standard, period. * the report contains several criticisms without any counter-arguments. For instance, "None of these organisations [the RIRs] have tools to retract these resources when abused or otherwise used in wrong ways." The report seems to ignore that it would be pointless: a RIR can withdraw an allocation, it will still be used, and impossible to re-allocate. (RPKI may change that.) * another example where the report is technically questionable is when it says "create a new internet. Work on this solution is actually being carried out and published on". (Which is substantiated by a reference to the Cerre report which, itself, mentions RINA and SCION, which says a lot about its credibility.) > To focus not only on the technicians that have to deploy physically, > but on those who can influence decisions to deploy and those > deciding on the financial and resource wherewithal to deploy. Many > participants, including IETF active, agreed that steps outside of > the technical realm are necessary for these standards -and not only > the IETF ones as you could see- to be deployed in a serious way, > making all internet users more secure immediately and > indiscriminately. Ideally without primarily government involvement. The report is also problematic in what it does not mention. It is silent about political disagreements. If encryption took so long to be deployed, it was not because of technical issues but because several important stakehoders activery resisted, because they want to ability do conduct surveillance. No amount of outreach will make people adopt a technical standard which goes against their interests. The tussle is unavoidable.