> On Mar 30, 2020, at 6:45 AM, Vittorio Bertola <vittorio.bertola=40open-xchange.com@xxxxxxxxxxxxxx> wrote: > > No one outside the IETF has problems with the IETF using its own traditional method to make technical choices. However, the concerns arise when the IETF makes policy choices that are de facto binding for the whole Internet. For example, privileging encryption over security is a policy choice. Designing technologies to circumvent national and personal content control points is a policy choice. IETF participants seem to oscillate between claiming that these are objectively good policy choices (as if an "objectively good" policy choice could ever exist) and claiming that these are in fact technical choices (but they are not). Let me put a finer point on Keith's comment. "...privileging encryption over security" is a fairly interesting statement. The encryption people would, I think, tell you that encryption is a technology whose fundamental purpose is security, so it cannot be privileged over security. Now, on the other hand, in the TLS 1.3 discussion we have had people talking about privileging creating a new security key for every session over being able to debug operational problems in an operational environment, and I would say that is in fact very different; when security prevents people from debugging problems, that's something that I want the security people helping operators to solve. In your statement, I think the word "security" needs a definition. Encryption got privileged over what, specifically? A request we have gotten frequently from law enforcement is some form of back door - a way for law enforcement to bypass security technologies including (but not limited to) encryption under appropriate authority. The issue there has been an assumption - that the bypass was something that only law enforcement would or could use. Painful experience tells us that (quoting Europol's recent article on COVID-19, https://www.europol.europa.eu/newsroom/news/how-criminals-profit-covid-19-pandemic) organized crime is "very quick to adapt well-known ... schemes to capitalise on the anxieties and fears of victims throughout the crisis." One could say "fine, take the data back to the company and have them decrypt it". But we have ample history of organized crime finding ways to get companies to do that for them as well, such as LAPD's LAES engineer that got leaned on by organized crime (1997) with the result that organized crime was wiretapping the police. I don't see a good way to ensure security that doesn't make law enforcement's job harder. I don't see the value of apologizing for that.
Attachment:
signature.asc
Description: Message signed with OpenPGP