There are two issues
1) Requirements, how should this data be secured?
2) Technology, how can the requirements be met?
I totally agree that transport layer encryption is not enough here. The
security requirement is end to end.
Proprietary products that meet that requirement do exist and the US
agencies that do this work have the financial and technical means to deploy
and use them and I have no problem with the idea of imposing a requirement
on that group that requires them to pay for the tools.
However, it is not just the US agencies doing this work. There are now 117
cyber commands and there is a real problem of 'loose cyber-weapons'. It is
to the interest of the US and to all the other cyber-commands that a norm
is established that cyber weapons are secured end to end throughout their
lifecyle and tools produced to enable that to be achieved.
Such tools do not currently exist. However some key patent expiries that
have occurred and will be complete in November this year make true end to
end data level encryption practical. I have proof of concept but short of
infringing code running in the lab which I will push out as soon as I can
together with the supporting specifications.
On Thu, Mar 9, 2017 at 4:02 PM, John C Klensin <john-ietf(_at_)jck(_dot_)com>
wrote:
Jari,
Let me suggest one addition to your list (with which I otherwise
agree):
5. No matter how strong the in-transit encryption or other
measures, they doesn't mean much if the relevant endpoint hosts,
or intermediate hosts that have the traffic in the clear, can be
compromised. We all know that, but we seem to sometimes need
reminding. In particular, while it is definitely not an
argument against link encryption, we need to be cautious that we
are not protecting things in a way that inadvertently shifts the
points of vunerability from one place to another (especially
another that is either more easily compromised or that
constitutes larger and more concentrated single point of
failure) and then assume that it makes things more secure
overall.
best,
john
--On Thursday, March 9, 2017 22:36 +0200 Jari Arkko
<jari(_dot_)arkko(_at_)piuha(_dot_)net> wrote:
Up-leveling a bit from the discussion of best practices for
surveillance organisations and virus builders (who apparently
are partly the same crowd). We can make some more general
observations, I think, maybe a bit more relevant for the rest
of us.
I don't think the reported findings are particularly
surprising. But they seem to support what I think we knew
already:
1. Security isn't a single feature, but needs to be thought
in terms of the whole. Comms security and devices and ...
2. There is no such thing as privileged access to the good
guys. It will leak / break / be shared.
3. Secretly held vulnerabilities make us all less safe.
4. The security of our communications and applications matters
a lot. Lives are at stake, not just your browsing history.
Jari