ietf
[Top] [All Lists]

Re: Security for various IETF services

2014-04-05 12:25:50
Agreed on all points. This is rapidly turning into the IETF's own version
of "if we can, we must" thinking.

                                Ned


"The IETF are committed to providing secure and privacy
friendly access to information via the web, mail, jabber
and other services.

Please confirm that "friendly" implies that the user gets to
choose the degree of security privacy that they consider
appropriate, and that their applications and devices are not
encumbered  with the overheads unless they choose to invoke
the privacy and security mechanisms.
 

While most (but not all) data on IETF
services is public, nonetheless access to that data
should use best practices for security and privacy.

I agree, but please can you clarify your interpretation
of "best practise" so that we can understand how
liberal or prescriptive this is?

However, as there are numerous legacy tools that have been
built that require access via cleartext, the IETF will
continue to allow such access so as not to break such
tooling. New services will however generally only be made
available in ways that use security protocols such as
TLS."


That is worrying, because it seems that you are intent on
encumbering transactions, without requiring a case by
case study of the threat model, and applying a security
and privacy model that is appropriate to the specific
transaction.

Stewart.