On the other hand, if the IAB/IESG is hell-bent on encrypting everything
(eating their own dogfood) then perhaps
we should not stand in the way. I am sure that other, open, fora will emerge
to take the place of the IETF.
/bill
PO Box 12317
Marina del Rey, CA 90295
310.322.8102
On 6April2015Monday, at 7:36, ned+ietf(_at_)mauve(_dot_)mrochek(_dot_)com wrote:
Hi,
On 4/4/15 3:38 AM, Stephen Farrell wrote:
My suggestion is to forget about how 7258 might or might not
relate to the subject line here, and deal more with the subject
line itself. Let's save our energy for arguing about privacy
when accessing public information for discussing situations
where it matters much more and where users know less, both of
which are more typical and more important.
It seems that we're conflating two issues: privacy and protection
against pervasive surveillance. What we have discussed in the past, and
in fact it was part of what Bruce presented in Vancouver, was that in
order to mitigate a pervasive surveillance attack, *all *information –
not just that which we might consider sensitive – should be encrypted.
This is especially the case when multiple services run on the same
infrastructure.
Maybe Stephen is conflating things, but I'm not, and I don't think most other
people on this thread are.
And I was aware of Phil Zimmerman's postcards versus letters line of
reasoning
long before Bruce reiterated it in Vancouver.
My point was, and is, that there are competing interests here. (Or, if you
like
the way Bruce puts things, "Security is always a tradeoff.") And it's my
position that in this case the need for people - including those who for one
reason or another don't have access to ubquituous security - to be able to
access the information is vastly more important than protection pervasive
surveillance, or privacy, or always using envelopes, or whatever you want to
call it.
Again, this isn't because I don't understand the concern you're raising. I
understand the concern quite well. I just don't think it wins out in this
case.
Going further, the IAB has said that communications should be
encrypted.[1] If we as a community wish others to encrypt their
traffic, we should of course do what we can to encrypt our own. In the
alternative, let's have a deeper exploration of encryption and
confidentiality and the tradeoffs so that more specific advice can be
given to the broader community that we ourselves can follow.
Doing what we can != forcing things onto people that limit access. This is
very
weak tea indeed.
Ned