ietf
[Top] [All Lists]

Re: Security for various IETF services

2014-04-07 09:03:05


--On Monday, April 07, 2014 09:03 -0400 Ted Lemon
<ted(_dot_)lemon(_at_)nominum(_dot_)com> wrote:

On Apr 7, 2014, at 7:01 AM, Stephen Farrell
<stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie> wrote:
Yes, we ought move away from passwords if/when we ever find an
acceptably better solution, and yes, people ought manage their
passwords well, but neither are today's reality more's the
pity.

Perhaps it would be worth setting up support for client certs
as a way to log in to IETF services.   If we won't start, why
would someone else?

If we are really serious about promoting/ encouraging security,
I'd really like to see this as an option.  Not only would it be
responsive to Ted's question, but, if we made it available and
almost no one used it, it would give us a lot of information
about the course we are on.

As to the core proposal, unlike SM, I would like to see each new
application that someone proposes to be accessible through
"secure" means only discussed one at a time.  My fear of the
whole Prepass effort was that it would be used in "we approved
that, therefore we can and should do this without further
discussion" arguments.  I just thought it would take a few years
to get to that point.

Finally, if the IETF effectively declares HTTP obsolete for
anything but legacy applications, I think it is logically
necessary that we create an applicability statement deprecating
HTTP and approve it.  Anyone really, seriously, want to go there
or think that would could without losing all credibility in the
vendor and user communities?

   john