Re: Call for a Jasmine Revolution in the IETF: Privacy, Integrity,

1) WPA/WPA2 is not an end to end protocol by any stretch of imagination. It
is link layer security.

The fact that you would even try to pass off the special case of the ends of
the link being the ends of the communication suggests that you understand
how weak your case is here.


2) My argument was based on usage by the billion plus Internet users.

I don't think more than about 5% of Internet users have ever used one of the
protocols you mention. And of the people who install free encryption
add-ons, the number who actually go on to use them regularly
is infinitesimal.

Now that particular group are a pretty important group with pretty important
reasons for doing what they do. But from my perspective it was a mistake to
design Internet security so that it could only serve their needs and not the
needs of even a majority of Internet users.





On Thu, Mar 10, 2011 at 11:25 PM, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:

> Phillip Hallam-Baker wrote:
> > Another mistake was the absolutist insistence on end to end security
> models
> > despite abundant evidence that people could not make use of them.
> Military
> > communications use end-to-end where possible but they have the luxury of
> > specialist trained cipher clerks and coms operators.
> I don't think this is correct.
>
> The end-to-end security model is actually the only one that did work,
> provided that it could be used in an ad-hoc fashion PGP, SSH, WPA/WPA2
> -- i.e. without any need to involve any third party, pay fees and go
> through a very bureaucratic setup process and end up with a severely
> constrained, lifetime-limited result.
>
>
> Things that failed badly are those that are severly usability-impaired
> for ad-hoc usage (such as TLS) or completely locked against ad-hoc usage
> (such as S/MIME), simply because the technology completely ignored
> how security works for humans in real life: it starts ad-hoc with a
> leap-of-faith on initial encounter and trust develops over time
> through memorizing experience of previous encounters.
>
> The original SSH approach is really the most natural fit, and it just
> worked out-of-the box for Linux installations (I realize I haven't
> been installing Linux Distros for a couple of years ...)  Did this
> change in the meantime?
>
>
>
> A devastatingly large number of Web-Servers and WebShops has been
> misapplying SSL/TLS.  And it takes Foolproof point-and-click exploits
> such as Firesheep to make businesses move slighlty towards better
> security from the irresponsible state they've been holding for
> years in full awareness of their own negligence.
>
>
> -Martin


-- 
Website: http://hallambaker.com/

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf