Re: Observations on (non-technical) changes affecting IETF operations

I think that I understand what you are saying, so let me repeat it back to
you in my own words.

Phillip Hallam-Baker <phill(_at_)hallambaker(_dot_)com> wrote:
    > First, I disagree with Jari's original analysis of the problem. The
    > Internet security problem is not limited to IoT:

I tend to agree... the only reason we aren't as "concerned" about non-IoT
things is because we can (in theory) update them, the devices are used
directly by humans who sometimes notice if they are broken (or p0wned),
and the passwords, as weak as they are, can in theory, be stored in the
human, rather than in the system.  (In practice: it's better to let the
browser store them)

    > I think the big difference is that in IoT it is impossible to ignore
    > the usability problem that cripples most IETF security protocols. With
    > the new EC curves we can now do public key crypto on 16 bit and even 8
    > bit devices (just don't do it too often). But we are still constrained
    > by the affordances of the devices:

So, I see this as an opportunity...

It's like the book with no letter e:
     https://en.wikipedia.org/wiki/Gadsby_(novel)

artists impose arbitrary restrictions on themselves in order to do better
work.

The IoT space is restrictive, and has no humans to pick options or store
passwords, so we have to do it correctly.  It's also much more of a
greenfield with no clear incumbent.  Therefore we can throw away many of the
things that turned out to be unworkable/insecure, like passwords.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr(_at_)sandelman(_dot_)ca  http://www.sandelman.ca/        |   ruby on 
rails    [

signature.asc
Description: PGP signature