ietf
[Top] [All Lists]

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-06 02:08:03
At 20:32 05-09-2013, Vinayak Hegde wrote:
While it is nice to do a dedication of this meeting to the SA surveillance, I do not see us solving any issue here. It is merely a "feel-good" measure without real impact.

:-)

Second, technology can never fix what is essentially a political problem. for eg. We mandate strong security protocols and end-to-end encryption in HTTP(S) by default. Lets

In a Last Call comment a few months ago it was mentioned that a specification takes the stance that security is an optional feature. I once watched a Security Area Director spend thirty minutes trying to explain to a working group that security feature should be implemented. If I recall correctly the working group was unconvinced.

Would the community raise it as an issue during a Last Call if a proposed protocol did not have strong security features? It's up to the reader to determine the answer to that.

assume all browsers implement this and do this perfectly without software flaws. All the NSA has to do is to compromise the other endpoint (controlled by ACME major corp). ACME gives over the encryption keys and access to all the unencrypted data to the NSA. So now

Yes.

what are we going to do. The IETF can make an political statement by taking a stand but that may mean nothing in reality when the laws are weak. Another example is when you have

Taking a stand that means nothing is a feel-good measure.

encrypted your drive and do not want to hand over the keys as it has some personal (and possibly incriminating evidence). In several countries you can be held in jail indefinitely (with obvious renewals of sentences) until you hand the keys over[1]. So in summary, technology cannot solve political and legal issues. At best it can make it harder. But in this case maybe not even that.

The IETF outlook does not apply in several countries. The IETF does not seem to pay much attention to that details (re. hand the keys). It's not clear what the emergency is. Phillip Hallam-Baker and Brian Carpenter already mentioned that it's not like this is a surprise.

According to a news article key architects of the Internet plan to fight back by drawing a plan to defend against state-sponsored surveillance. Anyway, if someone really wanted to call for an emergency response the person would have sent it to an IETF mailing list.

At 20:08 05-09-2013, Ted Lemon wrote:
I think we all knew NSA was collecting the data. Why didn't we do something about it sooner? Wasn't it an emergency when the PATRIOT act was passed? We certainly thought it was an emergency back in the days of Skipjack, but then they convinced us we'd won. Turns out they just went around us.

I would describe it as a scuffle instead of a battle. My guess is that the IETF did not do anything sooner as nobody knows what to do, or it may be that the IETF has become conservative and it does not pay attention to the minority report.

At 23:04 05-09-2013, Jari Arkko wrote:
I think we should seize this opportunity to take a hard look at what we can do better.

:-)

And please do not think about all this just in terms of the recent revelations. The

That's an interesting perspective.

security in the Internet is still a challenge, and if there are improvements they will be generally useful for many reasons and for many years to come. Perhaps this year's discussions are our ticket to motivate the world to move from "by default insecure" communications to "by default secure". Publicity and motivation are important, too.

Yes.

Regards,
-sm
<Prev in Thread] Current Thread [Next in Thread>