Hi,
I would suggest that this document is pretty close to ready, but not
quite ready.
The language/tone and some of the content of the report really needs a
lot of tightening up, and the record is not entirely accurate. Here
are a few "for instances".
Regarding hotel networking, the draft states: “It seems some protocol is
missing in this case.” The presentation given was all about the
challenges of how protocols like WISPR rely upon clear text. The
problem is that the portal can't intercept HTTP and pose the question to
the user without a security warning popping up (if it works at all).
The whole point was that in the face of encryption a mechanism is needed
to authorize users onto such networks, and that is what should be stated.
In on-by-default we discussed, for instance, a more nuanced approach
where there might be some protocols where it would be absolutely the
case that one would never want unencrypted traffic (SCIM was an
example), and others where some of the challenges of encryption would
make it not worthwhile (we discussed discovery protocols, as I recall).
That was to be part of follow-on work (part of the draft that was
mentioned).
Another example, “Hopefully, they supervise their security better
than...” Either they do or they don't. But the phrasing of that is a
bit off. And I'm not entirely sure what "supervise their security"
means, but I do know what "expending effort in securing their offering"
means.
On this statement:
Lack of interoperability between systems is in itself a threat as it
leads to work-arounds and compromises that may be less secure.
It's not lack of interoperability that's the threat but poorly thought
out workarounds.
In the cyberinsurance market it is interoperability that is the threat
(not the lack thereof) because it increases the risk of a catastrophic
loss. The whole tie-in to epidemiological modeling and cybersecurity is
based on this fact (one of our luminaries was notoriously fired from a
company when he pointed out the risks of a monoculture which is
inherently interoperable (he's still around- they're not ;-)).
I'll stop there for now, but really the report could use more a
few**more eyes.
Eliot
On 6/3/15 8:30 PM, IAB Chair wrote:
Dear colleagues,
This is an announcement of an IETF-wide Call for Comment on
draft-iab-strint-report-02.txt.
The document is being considered for publication as an Informational RFC
within the IAB stream, and is available for inspection here:
https://www.ietf.org/id/draft-iab-strint-report-02.txt
The Call for Comment will last until 2015-07-01. Please send comments to
iab(_at_)iab(_dot_)org.
Best regards,
Andrew Sullivan
IAB chair
On behalf of the IAB
signature.asc
Description: OpenPGP digital signature