If people can tamper with the process without traceability, is the process open?
In order to be sure that you’ve produced an open result, should the activities
of the process happen in secret? What assurance would that give you in the
result? If the process is completely without merit - then what difference is
it how (or if) someone might get the result?
Encrypting the process of getting the result is only working on the very last
piece of the issue - isn’t it? What use would that be without doing the other
work to make the process trustable and robust?
HTTPS conveys to me that I have some level of trust in that I am communicating
with the service I intended. (I’m ignoring, completely that not all CA’s are
equal and that DNS might completely lie to me along the way.) That, for me at
least, doesn’t necessarily create trust in the “product” of the service.
I buy crappy stuff from Amazon all the time, I’m just attempting to achieve
that (1) it’s a little difficult to steal my credit card # (2) Amazon is forced
to comply with PCI by the credit card processing companies. The thing I order
from Amazon may still be a total piece of junk.
HTTPS protects a user (presumably) from someone knowing which standard that
downloaded or which mailing list archive they might have read. If there is
pervasive passive monitoring, it doesn’t protect them from being recognized as
having gone to IETF. And if you really have enough passive monitoring -
determining which standard gets downloaded might be possible too, watch for the
traffic spike, and check the size. (It’s really easy for those reading NFS :)
.) Because the passive monitor can get all the standards too, and know their
size just as well.
--
Chris Inacio
inacio(_at_)cert(_dot_)org
On Nov 7, 2013, at 9:33 AM, Noel Chiappa
<jnc(_at_)mercury(_dot_)lcs(_dot_)mit(_dot_)edu> wrote:
From: Chris Inacio <inacio(_at_)cert(_dot_)org>
To that effect, if we're really serious about this stuff, shouldn't
we want all email on the lists signed as well?
?? That would provide authentication. I thought the issue on the table was
privacy?
Noel