Yay! What he said!
(There will be those who now say, "Wait! I thought Pete disagreed. I
don't understand." Talk to me offline. Trying to explain on the IETF
list will be less than productive.)
pr
On 11/7/13 10:09 AM, Jari Arkko wrote:
I'd actually like to argue that the IETF position on this topic is something
bigger, something where the plenary discussion and hums played a supporting
role but they are not the sole determination. Here's my take-away from this
week:
"The IETF considers pervasive-monitoring as a security issue and is willing to work
to address it."
Nothing more, nothing less. Most working groups that I went to were addressing this topic in one
way or the other, going through application by application, doing careful work to understand what
options we have to improve security, and weighing the various trade-offs in different designs. The
proof of the pudding is in the eating. "We need to address it" vs. "We are putting
in the cycles to address it". When I look at the discussions throughout the week, it is very
clear to me that we are putting in the cycles.
As Carsten said:
As always, hard work follows, and the devil is in the details. But that
doesn’t take away from the unanimity.
And indeed there are a lot of details and trade-offs to worry about.
Opportunistic encryption, for instance, has been discussed at length this week
and the variants and trade-offs are far from clear.
I think the next steps are what is important. And this is a long term effort.
Here are some of the things we should be doing:
- work on the general guidance in this area ("consider it as an attack", "recommended ways to
apply opportunistic encryption", "threat model changes", ...)
- work on the specific protocols and application areas (http, xmpp, etc)
--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478