---- Original Message -----
From: "Melinda Shore" <melinda(_dot_)shore(_at_)gmail(_dot_)com>
To: "Ted Lemon" <ted(_dot_)lemon(_at_)nominum(_dot_)com>
Cc: "IETF Discussion" <ietf(_at_)ietf(_dot_)org>
Sent: Thursday, January 02, 2014 3:39 AM
On 1/1/14 6:11 PM, Ted Lemon wrote:
On Jan 1, 2014, at 6:07 PM, Melinda Shore
<melinda(_dot_)shore(_at_)gmail(_dot_)com>
wrote:
<snip>
One of the reasons I'm somewhat annoyed about the wave of
gasbaggery and pontification that has followed truly disturbing
revelations about the extent to which the US government has
undermined privacy and compromised security technologies is
that work which might have helped provide tools to mitigate
some of the soft spots in IETF work has been backburnered in
favor of no small amount of unfocused grandiosity that doesn't
actually change much.
Melinda
I note your explicit reference to the US government. I note, too,
recent postings (e.g. on the TLS and UTA lists) which cast doubt on the
integrity of the (American) NSA which, in turn, reminds me that I see
the
USA as a country of small government (starting with the Founding
Fathers), something to be distrusted, subverted even, and I think that
that is colo(u)ring this discussion (whether or not the proponents of
this I-D are American citizens).
Elsewhere, I believe that governments are more trusted, so when the head
of a (non-American) national security agency says that the world is now
a more dangerous place, that successful terrorist attacks are more
likely because of recent revelations, then that consideration, of
personal security, outweighs my concern that someone is reading my
messages to, say, a secret lover. I have been close to terrorist
attacks - doubtless some on this list have been directly affected by
them - and while I see them as probability low/impact high, I am more
concerned about that risk than that of the state seeing something I
would rather it did not. And, as I said before, if there is any breach
of privacy that concerns me, and again it is one that I see echoed in
the national media, it is that of the assembling of personal profiles by
large, quasi-monopolistic websites, something which the aspirations
of this I-D would seem to make more likely.
Tom Petch
At any rate this draft is not RFC3552. 3552 provides very specific
guidelines for what needs to be considered in
writing^H^H^H^H^H^H^H^Hreviewing security considerations.
It is tempting to just let this through last call in hopes that
once it's done we can come back around to prioritizing work like
fixing PKI but I'd be very sorry indeed to see this published as a
BCP.
Melinda