Re: Sarcarm and intimidation

On 20-jul-2005, at 19:41, Hallam-Baker, Phillip wrote:

> The number of arrests per capita and the toital number of arrests in
> several countries outstrips the US.
Well, since the number of countries in the world is counted in triple  
digits, it's highly unlikely that the US is at the top of pretty much  
_any_ list. I'd be more interested to learn the differences between  
the US and comparable countries.
However, I immediately believe that US law enforcement isn't doing  
all it could in this area.
> > How can you secure a communication channel against crime in general?
> Accountability.
If by accountability you mean "making it impossible for the bad guys  
to hide" then I have to disagree. IP already has a fairly high degree  
of accountability by virtue of the IP address. Any time an attacker  
engages in bidirectional communication it should be possible to find  
him. However, the problem is that the world is a big place with many  
different laws. So accountability in the sense that when someone does  
something bad she has to pay the consequences isn't likely in the  
forseeable future, assuming a global internet like we have today.
> > If you expect the IETF to stop pensioner savings stealing, you're
> > setting yourself up for a big disappointment.
> I expect that whatever body leads Internet standards making will be
> doing all it can to stop Internet criminals from stealing pensioners
> life savings.
Well, that's an interesting idea. Don't we have law enforcement, the  
same people we were both bashing at the beginning of the message, to  
do this? Can the IETF in fact do this? Should it want to?
> > SSL is far from perfect, but I wouldn't say it's shelfware. It allows
> > consenting hosts to secure themselves against men in the middle and
> > eavesdroppers without aid from the network. E2e in its purest form,
> > I'd say.
> Actually it's a transport layer security mechanism. It does not  
> provide
> end to end integrity guarantees, non-repudiation or any of the other
> silly requirements I and others tried to impose on the HTTP security
> mechanism in the mid 90s.
Like I said, it isn't perfect.

> More email is encrypted using SSL than any other technique. But it is
> only transport encryption, the message is en-clair on the mail server
> and is decrypted and re-encrypted for every message hop.
I agree, SSL for SMTP isn't very useful except to show law  
enforcement types that they have to work a bit harder than simply run  
tcpdump on the wire that connects to the big mail server. But that's  
what you get for running prehistoric store-and-forward protocols.
However, for applications such as ecommorce over the web, where SSL  
can indeed be deployed end-to-end, it's an unqualified success.
As for better security on the internet: in my opinion, the biggest  
problem we have today is that a receiver is forced to receive  
whatever anyone else connected to the network sees fit to transmit.  
In some areas, such as email, accountability can help, but in others,  
such as DDoS, this won't make a difference. What we need here is ways  
for customers to have their ISPs reject unwanted traffic, while  
"good" traffic is allowed through. One way to do this would be for  
the ISP to do proxy IPsec AH verification. If the intended  
destination gives out keys that are tied to the source address, only  
"good" source addresses can generate the right HMACs and DDoS is a  
thing of the past. (Well, if you have enough 10Gbps line rate crypto  
line cards and there are of course some details to work out such as  
distributing the keys and revoking compromised ones.)
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf