Re[2]: Security for various IETF services

mohammed serrhini <> Mon, 07 April 2014 00:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CDB4F1A055D for <>; Sun, 6 Apr 2014 17:40:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 3.15
X-Spam-Level: ***
X-Spam-Status: No, score=3.15 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6XLyW7LNTPlD for <>; Sun, 6 Apr 2014 17:40:23 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 63C671A018D for <>; Sun, 6 Apr 2014 17:40:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=mail2; h=References:In-Reply-To:Content-Type:Message-ID:Reply-To:Date:Mime-Version:Subject:Cc:To:From; bh=ZpbII0lto0BW4R7hUj/d/x53PGnyxYiJESRjCDAisc0=; b=Ax6VJNTuW4Q4sULhRKecY+Vd5ufOF7jgcYUgqKteC4qXUiz+yt22MsrBuCH/wWz/WXuVX655+kCAQRpHAXqzrwlwVv9sCaO391X2673hhQ49ECV+F4dhS6edlQlSokDUBnQl44WVZH8za8ErMOWz1zows6Pa9xC45K+UQ9T5zXM=;
Received: from mail by with local (envelope-from <>) id 1WWxbj-000688-E6; Mon, 07 Apr 2014 04:40:15 +0400
Received: from [] by with HTTP; Mon, 07 Apr 2014 04:40:15 +0400
From: =?UTF-8?B?bW9oYW1tZWQgc2Vycmhpbmk=?= <>
To: =?UTF-8?B?Q2hyaXN0aWFuIEh1aXRlbWE=?= <>
Subject: =?UTF-8?B?UmVbMl06IFNlY3VyaXR5IGZvciB2YXJpb3VzIElFVEYgc2VydmljZXM=?=
Mime-Version: 1.0
X-Mailer: Mail.Ru Mailer 1.0
X-Originating-IP: []
Date: Mon, 07 Apr 2014 04:40:15 +0400
X-Priority: 3 (Normal)
Message-ID: <>
Content-Type: multipart/alternative; boundary="--ALT--2TPB6QXn1396831215"
X-Mras: Ok
X-Spam: undefined
In-Reply-To: <>
References: <> <> <>
Cc: =?UTF-8?B?aWV0ZkBpZXRmLm9yZw==?= <>
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: =?UTF-8?B?bW9oYW1tZWQgc2Vycmhpbmk=?= <>
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Apr 2014 00:40:28 -0000

I agree, The Security and Risk Analysis  is major looks at how to redesign systems that are secure, how to measure risk, and how ensure that proper levels of privacy are maintained for individual  users.  Remember that security is a process, not a
product. not all security and privacy are resolved technically,  without forgeting that User is Weak node of chain. 
HSTS ,  TLS ,HTTPS  FTPS  or NSS / GnuTLS / OpenSSL  .   can  break  the IETF web site old tools.  but provide  levels of privacy and security . 
The delivery and maintenance team is responsible for on-going updating and monitoring, including security measures for access control and information confidentiality.  when there are mechanisms in place to establish
privacy and trust  .

Serrhini Mohammed

Sun, 6 Apr 2014 23:30:11 +0000 от Christian Huitema <>om>:
>> I agree with those who've said a threat analysis is needed before
>> deciding access is limited to TLS or other secure alternative.
>But we have that threat analysis, and the recommended mitigation is precisely "encrypt everything." The "pervasive monitoring" threat is analyzed by a number of perpass drafts, and Stephen has merely followed the conclusions of that analysis. There is no need to repeat that analysis for each and every tool that the IETF produces, and there is indeed a need for the IETF as a whole to "lead by example."
>-- Christian Huitema

С уважением,
mohammed serrhini