Re: Security for various IETF services

S Moonesamy <sm+ietf@elandsys.com> Mon, 07 April 2014 08:25 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD70E1A0357 for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 01:25:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KbxAa4TbRhk1 for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 01:25:01 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id DB47F1A02C0 for <ietf@ietf.org>; Mon, 7 Apr 2014 01:25:01 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.224.147.234]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id s378OhQg022661 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf@ietf.org>; Mon, 7 Apr 2014 01:24:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1396859095; bh=SYmb8CamL42zt60yGHWW7WDIsd2sstCeLXHbIrG5vWo=; h=Date:To:From:Subject:In-Reply-To:References; b=Bui6Y5W5ILYadmS8MxpDbm/lUPp7BCtDSAjGvpIah4wBZb364bMdL+cbmSfL0sMtR JMS+1siRXn4LX3Zezv33ZRIg1aX+iszeEnyzmC1n2lpSApZ+BctgrQt7R0VTT+IB+Z x6hDP+UGa6f1DqdSs+2Gje/B6IdDhqj9lTwOQRsU=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1396859095; i=@elandsys.com; bh=SYmb8CamL42zt60yGHWW7WDIsd2sstCeLXHbIrG5vWo=; h=Date:To:From:Subject:In-Reply-To:References; b=a/OfFErof7IYq3sGuAIYzWPT/TSuIGc5eEF0nkhAhRHz98SVIfifFDwk0NKSy1iRC WxMGBirbCrPx7wavbj78/UkS2iEIYQsPrMq8aUJv/Nb5jCSSxjGU83f6REbb3ciU8t vvbsBIH88qy0UX/EMG2nrDYrny8l5YDOBghN/AWs=
Message-Id: <6.2.5.6.2.20140406230005.07a30850@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 07 Apr 2014 01:08:00 -0700
To: ietf@ietf.org
From: S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: Security for various IETF services
In-Reply-To: <alpine.LRH.2.01.1404061602580.14892@egate.xpasc.com>
References: <533D8A90.60309@cs.tcd.ie> <53417832.90405@cs.tcd.ie> <alpine.LRH.2.01.1404061602580.14892@egate.xpasc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/3T_naLAmqCS7tXNuvSIiSNn-ywE
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 08:25:07 -0000

At 16:08 06-04-2014, David Morris wrote:
>I don't object to making TLS/et al access available when it can be
>done at a moderate cost. But that is different than the implied
>statement that the intent is to require TLS for future service
>access.

I read the statement as being about not having recurring discussions 
about whether access to a future service will require secure 
access.  That's worthwhile.

https://datatracker.ietf.org has links to http://tools.ietf.org/  and 
http://www.ietf.org.  The "Search" link is to 
"www.google.com".  jabber.ietf.org is listed as having the following issues:

   - Certificate is not trusted
   - Server allows SSLv2, which is obsolete and insecure.
   - Server does not support the newest version, TLS 1.2.

The mail service does not support STARTTLS.

The current guideline for services is "server security based on 
best-practices and data sensitivity level".  There isn't any 
information about the best-practices for information which will be 
publicly available.  Some people have been accessing (IETF) publicly 
available information using clear-text protocols for many years.  The 
people do not consider "X is spying on you" as a reason to stop using 
those protocols.

A few months ago, a person (not in the IETF) posted the following comment:

   "I'd really like to know how secure this offer is before considering it...."

Regards,
S. Moonesamy