ietf
[Top] [All Lists]

RE: Security for various IETF services

2014-04-06 20:06:54
to enlarge on that:
http://www.ietf.org/proceedings/88/perpass.html
no charter

http://tools.ietf.org/wg/perpass
not found

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: ietf [ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of 
l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk 
[l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk]
Sent: 07 April 2014 01:35
To: huitema(_at_)microsoft(_dot_)com; ietf(_at_)ietf(_dot_)org
Subject: RE: Security for various IETF services

https://datatracker.ietf.org/wg/perpass/
that's a lot of drafts.

and yet perpass is still not a WG with formal process and charter? Odd, that.

Knee-jerk reactions are not good things.

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: ietf [ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Christian Huitema 
[huitema(_at_)microsoft(_dot_)com]
Sent: 07 April 2014 00:30
To: ietf(_at_)ietf(_dot_)org
Subject: RE: Security for various IETF services

I agree with those who've said a threat analysis is needed before
deciding access is limited to TLS or other secure alternative.

But we have that threat analysis, and the recommended mitigation is precisely 
"encrypt everything." The "pervasive monitoring" threat is analyzed by a number 
of perpass drafts, and Stephen has merely followed the conclusions of that 
analysis. There is no need to repeat that analysis for each and every tool that 
the IETF produces, and there is indeed a need for the IETF as a whole to "lead 
by example."

-- Christian Huitema