ietf
[Top] [All Lists]

Re: Last Call: <draft-farrell-perpass-attack-02.txt> (Pervasive Monitoring is an Attack) to Best Current Practice

2013-12-06 12:53:55
----- Original Message -----
From: "Stefan Winter" <stefan(_dot_)winter(_at_)restena(_dot_)lu>
To: <ietf(_at_)ietf(_dot_)org>
Sent: Friday, December 06, 2013 10:15 AM

Not long ago, someone was stabbed with a knife, so:

Encryption has its dangers and the IETF should not be encouraging its
widespread adoption.

Knives have their dangers, and the metal-processing industry should not
be encouraging their widespread adoption.

Funny - that conclusion, which is analogous to yours, doesn't make much
sense to me. Does it to you?

Encryption is a tool - it's neither good nor bad in itself. What you do
with it is the question.

What we have seen in deployed reality is that lack of usage of this tool
by the internet population at large has played into the hands of
adversaries. The idea to put the tool into everybody's hands and make
them *use* it is absolutely a good idea as a countermeasure IMHO.

Especially since the adversaries *are* using it, regardless whether the
good guys do or not. The rioters you mention above did use it - and they
can continue to do so no matter what we decide in the IETF. The TV
manufacturer could have used it - they were simply stupid enough to
forget about it.

<tp>
The analogy that come to my mind is not knives, but guns.

Many, probably most, countries in the world place quite stringent
restrictions on what their citizens can do in owning or using guns.
Were the UN to produce a convention restricting their use, one country
one vote, I expect that it would be passed with a large majority.  The
evil done by terrorists, criminals, evil empires and so on with guns
outweighs the good.

The technology is neutral; the user of it is evil or not, as the case
may be.

If encryption makes terrorism, crime and so on more likely, then we
could see countries impose restrictions on encryption in the same way as
for guns, and a few years down the line, the role of the IETF in
encouraging the use of strong encryption could be seen as a serious
misjudgment, one that is damaging to the standing of the IETF.

Authentication is fine, in fact I think that it is grossly misunderstood
and underused and does not, as far as I can see, pose a threat;
encryption is a different matter.

Tom Petch

Greetings,

Stefan Winter


Tom Petch



<Prev in Thread] Current Thread [Next in Thread>