On 01/06/15 23:41, Roland Dobbins wrote:
On 2 Jun 2015, at 4:27, Paul Wouters wrote:
We had to cater to governments banning encryption for its users, and
we now see what that got them.
They just go around the encryption and compromise the endpoints.
They're *governments*, so they have the resources to do that (not
debating whether or not they should, just stating observed fact).
The proposed statement itself quotes two apparent counter examples
where (allegedly:-) governments used man on the side attacks and
at apparently significant scale.
Also, universal or near-universal encryption is a serious problem in
terms of detection, classification, traceback, and mitigation of
application-layer DDoS attacks. It drastically limits the scaling
capacity of defenders, and results in even more cost asymmetry between
defenders and attackers (in favor of the attackers).
Please contribute concrete text on the technical details of that
to [1]. We do need to document the changes (including downsides)
caused by encrypting more. Text is very welcome for that. (Best
sent to saag(_at_)ietf(_dot_)org or the authors.)
[1] https://tools.ietf.org/html/draft-mm-wg-effect-encrypt
My guess is that those who make bold, sweeping statements about how
everything ought to be encrypted all the time are rarely those who have
to deal with the unintended consequences of overencryption.
I hope that this discussion doesn't go down the purely distracting
rathole of statements like "everything ought to be encrypted all
the time" - that is as related to this statement as pixie dust
security solutions are to reality, regardless of what position one
adopts in relation to encryption.
That said, I suppose it's inevitable that this discussion at least
looks at the top of that rathole;-) I do hope it's a passing glance
only though.
In the final analysis, there are no technical solutions for social ills.
The entire issue of unwanted surveillance by government entities is a
social and political problem; it seems pretty clear that since the
social/political side of things aren't proving to be easily resolved,
that some folks are advocating doing *something*, *anything*,
irrespective of whether it will actually make a positive impact on the
conditions to which they object and without regard to the non-trivial
side-effects of what they're advocating.
The IESG and the IETF in general should concentrate on technical issues,
and work on solving social and political problems should take place in
other, more appropriate appropriate fora, IMHO.
I don't see how that corresponds to the proposed IESG statement at
all.
S.
-----------------------------------
Roland Dobbins <rdobbins(_at_)arbor(_dot_)net>