ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

2013-09-15 08:49:10
from [Phillip Hallam-Baker] [Permanent Link] 
On Sun, Sep 15, 2013 at 9:10 AM, Tobias Gondrom
<tobias(_dot_)gondrom(_at_)gondrom(_dot_)org>wrote:


 On 09/09/13 09:29, Eliot Lear wrote:

We're talking.

Eliot


On 9/9/13 10:20 AM, Ross Finlayson wrote:

 So, has Bruce Schneier actually been invited to speak at the Technical 
Plenary (or elsewhere) during the Vancouver IETF?  I recall him giving an 
informative talk at least one previous Tech Plenary, and in light of his 
'proposal', if would be interesting to hear what he believes to be broken, 
and what the IETF might be able to do to help fix it.

      Ross.





A small comment: actually I would like to (read: expect to) read what he
(and others) believe to be broken _before_ the next Plenary and giving a
speak there. And as specific and constructive as possible. That way we will
be much more effective talking about issues at the plenary and starting
stuff at WGs.



Quite, pointing out what is broken is exactly the type of contribution
Schneier could make. He is very good at spotting holes in security schemes.
I must say I am a little annoyed by his approach. He could deign to post on
the IETF lists himself rather than give oracular statements and then take
the credit.

Security is all about risk mitigation, not risk elimination, as I argued to
Bruce in the wake of his 15 risks of PKI article before he wrote Secrets
and Lies. Security design means tradeoffs and designing to mitigate the
chief risks. Unlike generals who can spend millions of tax payer dollars
making their operations room look like the bridge of the Enterprise, I have
to consider resources.

We do have several areas where we could make significant advances however:

1) Technical improvements to TLS such as recommending sites turn on PFS by
default and remove weak ciphers.

2) Stop sending authentication cookies in the clear whether or not they are
sent inside an encrypted tunnel.

http://tools.ietf.org/html/draft-hallambaker-httpsession-01

3) Fix the missing 5% that stops people using secure email. We have PGP
that has mindshare and S/MIME that has deployment and both are too much
trouble for most IETF people to use, let alone the typical Internet user.
We can and should fix that.


Phill



-- 
Website: http://hallambaker.com/
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Bruce Schneier's Proposal to dedicate November meeting to savingthe Internet from the NSA, Tobias Gondrom
Next by Date:  Re: Messages to SPFBIS mailing list (was: [spfbis] Benoit Claise's No Objection on draft-ietf-spfbis-4408bis-19: (with COMMENT)), Douglas Otis
Previous by Thread:  Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA, Tobias Gondrom
Next by Thread:  Re: Bruce Schneier's Proposal to dedicate November meeting to savingthe Internet from the NSA, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]