On Sun, Dec 8, 2013 at 3:34 PM, Stephen Farrell
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>wrote:
On 12/08/2013 05:56 AM, l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk wrote:
Stephen,
I've no idea what you think you mean when you say 'moving beyond
mandatory to implement'. My take is that encryption should never be
mandatory to implement.
MTI security is what's called for by BCP 61. Sometimes the MTI
security for a protocol will involve confidentiality, other
times (e.g. routing protocols) it has tended not to. So your
"take" is at odds with long standing IETF BCPs.
Traditionally the IETF has considered security to be end-to-end security or
nothing. Protecting against meta-data and traffic analysis attacks has been
considered to be too hard and too little return on investment.
Whether or not we agreed with the past status quo (I did not), it was a
product of the constraints and security requirements that existed
pre-Snowden. One of the effects of Snowden is that there are more people
willing to commit more resources to solving security problems. So even if
you are not surprised by the Snowden releases, the fact that the knowledge
is out there changes what is possible.
Before Snowden I thought that any attempt to deploy end-to-end email
security was futile. After Snowden I think that we have another chance.
Which is rather strange given that it is not a protection against meta or
traffic analysis. But that is just a consequence of the fact that I can
build on twenty years of work and a ten year base of deployed code that is
95% right.
--
Website: http://hallambaker.com/