ietf
[Top] [All Lists]

Re: Agenda, security, and monitoring

2014-02-02 18:45:26
On 2/1/14 11:18 PM, John C Klensin wrote:

Sorry, I wasn't clear.  At least in this particular context, I
have no interest at all in authentication.  My interest was in a
demonstration of the ability to handle encryption.  For S/MIME
and PGP, if I can sign a message, I can decrypt a message that
is sent to me.  From a privacy or surveillance resistance
standpoint, the latter, and a way to demonstration That
capability, are important.  Authentication is irrelevant and, as
you say, not helpful in that context.

I agree that authentication is irrelevant in this context. But that's leads me to agree with Dave on a central point (hence the little I-D we've been banging on and submitted to the STRINT folks): The problem with PGP and S/MIME is that they require authentication in order to start using encryption, and since authentication is both irrelevant to this *and* a pain to do, I don't think it's likely that mechanisms that require authentication to get started are good candidates to address PM, let alone be a terribly good demonstration that we can do encryption. I can't get torqued about people participating in a key signing: If you're interested in using those tools, go for it. But I do think that if we want to make headway on the PM problem and convince people that we can address pieces of it, we need to start looking at different sorts of mechanisms.

I suspect Ted might be right and this is simply an integration problem. I'm not sure whether Dave agrees or disagrees with me on this, but I think we've got the tools in our toolbox already: The bones (and much of the meat) of PGP or S/MIME might be perfectly suitable with some re-working. But I think until that re-working is done, we're not likely to have a good demonstration of this stuff actually working, especially if "the best technology we have is annoying and will require you and your correspondents to learn more, and fuss more, than you would probably like".

pr

--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478