Re: Security for various IETF services

S Moonesamy <> Mon, 07 April 2014 08:25 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CD70E1A0357 for <>; Mon, 7 Apr 2014 01:25:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KbxAa4TbRhk1 for <>; Mon, 7 Apr 2014 01:25:01 -0700 (PDT)
Received: from ( [IPv6:2001:470:f329:1::1]) by (Postfix) with ESMTP id DB47F1A02C0 for <>; Mon, 7 Apr 2014 01:25:01 -0700 (PDT)
Received: from ([]) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id s378OhQg022661 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Mon, 7 Apr 2014 01:24:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail2010; t=1396859095; bh=SYmb8CamL42zt60yGHWW7WDIsd2sstCeLXHbIrG5vWo=; h=Date:To:From:Subject:In-Reply-To:References; b=Bui6Y5W5ILYadmS8MxpDbm/lUPp7BCtDSAjGvpIah4wBZb364bMdL+cbmSfL0sMtR JMS+1siRXn4LX3Zezv33ZRIg1aX+iszeEnyzmC1n2lpSApZ+BctgrQt7R0VTT+IB+Z x6hDP+UGa6f1DqdSs+2Gje/B6IdDhqj9lTwOQRsU=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1396859095;; bh=SYmb8CamL42zt60yGHWW7WDIsd2sstCeLXHbIrG5vWo=; h=Date:To:From:Subject:In-Reply-To:References; b=a/OfFErof7IYq3sGuAIYzWPT/TSuIGc5eEF0nkhAhRHz98SVIfifFDwk0NKSy1iRC WxMGBirbCrPx7wavbj78/UkS2iEIYQsPrMq8aUJv/Nb5jCSSxjGU83f6REbb3ciU8t vvbsBIH88qy0UX/EMG2nrDYrny8l5YDOBghN/AWs=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Mon, 07 Apr 2014 01:08:00 -0700
From: S Moonesamy <>
Subject: Re: Security for various IETF services
In-Reply-To: <>
References: <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Apr 2014 08:25:07 -0000

At 16:08 06-04-2014, David Morris wrote:
>I don't object to making TLS/et al access available when it can be
>done at a moderate cost. But that is different than the implied
>statement that the intent is to require TLS for future service

I read the statement as being about not having recurring discussions 
about whether access to a future service will require secure 
access.  That's worthwhile. has links to  and  The "Search" link is to 
"". is listed as having the following issues:

   - Certificate is not trusted
   - Server allows SSLv2, which is obsolete and insecure.
   - Server does not support the newest version, TLS 1.2.

The mail service does not support STARTTLS.

The current guideline for services is "server security based on 
best-practices and data sensitivity level".  There isn't any 
information about the best-practices for information which will be 
publicly available.  Some people have been accessing (IETF) publicly 
available information using clear-text protocols for many years.  The 
people do not consider "X is spying on you" as a reason to stop using 
those protocols.

A few months ago, a person (not in the IETF) posted the following comment:

   "I'd really like to know how secure this offer is before considering it...."

S. Moonesamy