IAB Statement on Internet Confidentiality

IAB Chair <iab-chair@iab.org> Fri, 14 November 2014 09:26 UTC

Return-Path: <iab-chair@iab.org>
X-Original-To: ietf-announce@ietfa.amsl.com
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 547DC1A8753; Fri, 14 Nov 2014 01:26:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1oln3JDkH1o; Fri, 14 Nov 2014 01:26:04 -0800 (PST)
Received: from mail.amsl.com (mail.amsl.com [IPv6:2001:1900:3001:11::28]) by ietfa.amsl.com (Postfix) with ESMTP id 1DAB41A8752; Fri, 14 Nov 2014 01:26:04 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTP id 3C4E01E5A18; Fri, 14 Nov 2014 01:25:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from c8a.amsl.com ([127.0.0.1]) by localhost (c8a.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QXoF9Rq2BZ8E; Fri, 14 Nov 2014 01:25:18 -0800 (PST)
Received: from s2001067c03700144c62c03fffe2cc7b9.hotel-wired.v6.meeting.ietf.org (s2001067c03700144c62c03fffe2cc7b9.hotel-wired.v6.meeting.ietf.org [IPv6:2001:67c:370:144:c62c:3ff:fe2c:c7b9]) by c8a.amsl.com (Postfix) with ESMTPSA id C96231E5A15; Fri, 14 Nov 2014 01:25:17 -0800 (PST)
From: IAB Chair <iab-chair@iab.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: IAB Statement on Internet Confidentiality
Date: Fri, 14 Nov 2014 04:26:02 -0500
Message-Id: <99E579B9-63A7-4C4F-864F-84F539B8381E@iab.org>
To: IETF Announce <ietf-announce@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-announce/ObCNmWcsFPNTIdMX5fmbuJoKFR8
Cc: IAB <iab@iab.org>, IETF <ietf@ietf.org>
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ietf@ietf.org
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 09:26:05 -0000

Please find this statement issued by the IAB today.

On behalf of the IAB,
  Russ Housley
  IAB Chair

= = = = = = = = = = = = =

IAB Statement on Internet Confidentiality

In 1996, the IAB and IESG recognized that the growth of the Internet
depended on users having confidence that the network would protect
their private information.  RFC 1984 documented this need.  Since that
time, we have seen evidence that the capabilities and activities of
attackers are greater and more pervasive than previously known.  The IAB
now believes it is important for protocol designers, developers, and
operators to make encryption the norm for Internet traffic.  Encryption
should be authenticated where possible, but even protocols providing
confidentiality without authentication are useful in the face of
pervasive surveillance as described in RFC 7258.

Newly designed protocols should prefer encryption to cleartext operation.
There may be exceptions to this default, but it is important to recognize
that protocols do not operate in isolation.  Information leaked by one
protocol can be made part of a more substantial body of information
by cross-correlation of traffic observation.  There are protocols which
may as a result require encryption on the Internet even when it would
not be a requirement for that protocol operating in isolation.

We recommend that encryption be deployed throughout the protocol stack
since there is not a single place within the stack where all kinds of
communication can be protected.

The IAB urges protocol designers to design for confidential operation by
default.  We strongly encourage developers to include encryption in their
implementations, and to make them encrypted by default.  We similarly
encourage network and service operators to deploy encryption where it is
not yet deployed, and we urge firewall policy administrators to permit
encrypted traffic.

We believe that each of these changes will help restore the trust users
must have in the Internet.  We acknowledge that this will take time and
trouble, though we believe recent successes in content delivery networks,
messaging, and Internet application deployments demonstrate the
feasibility of this migration.  We also acknowledge that many network
operations activities today, from traffic management and intrusion
detection to spam prevention and policy enforcement, assume access to
cleartext payload.  For many of these activities there are no solutions
yet, but the IAB will work with those affected to foster development of
new approaches for these activities which allow us to move to an Internet
where traffic is confidential by default.