Re: Security for various IETF services
ned+ietf@mauve.mrochek.com Fri, 04 April 2014 00:56 UTC
Return-Path: <ned+ietf@mauve.mrochek.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 390B81A0470 for <ietf@ietfa.amsl.com>; Thu, 3 Apr 2014 17:56:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rn13ZKdU0nXJ for <ietf@ietfa.amsl.com>; Thu, 3 Apr 2014 17:56:33 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.59.230.40]) by ietfa.amsl.com (Postfix) with ESMTP id DC7E01A045B for <ietf@ietf.org>; Thu, 3 Apr 2014 17:56:32 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01P67VFHK01S0057B2@mauve.mrochek.com> for ietf@ietf.org; Thu, 3 Apr 2014 17:51:27 -0700 (PDT)
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET="iso-8859-1"
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01P5NOFJJ0Y800004W@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf@ietf.org; Thu, 3 Apr 2014 17:51:25 -0700 (PDT)
From: ned+ietf@mauve.mrochek.com
Message-id: <01P67VFG3GTG00004W@mauve.mrochek.com>
Date: Thu, 03 Apr 2014 17:44:49 -0700
Subject: Re: Security for various IETF services
In-reply-to: "Your message dated Fri, 04 Apr 2014 13:26:55 +1300" <533DFC4F.2040902@gmail.com>
References: <533D8A90.60309@cs.tcd.ie> <290E20B455C66743BE178C5C84F1240847E779EEB6@EXMB01CMS.surrey.ac.uk> <p06240601cf639cb2113b@[99.111.97.136]> <01P67T1X0MI000004W@mauve.mrochek.com> <533DFC4F.2040902@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/AZO1_psXYiKKVmRgvF8rMR1pShI
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 00:56:37 -0000
> On 04/04/2014 12:35, ned+ietf@mauve.mrochek.com wrote: > >> My reaction is also to ask "Why?" Security and privacy involve > >> trade-offs where various costs (including operational difficulty) are > >> weighed against the benefits, such as protecting information from > >> unauthorized disclosure or modification. So, I'd suggest that a > >> blanket statement isn't a good idea, but rather, a service-by-service > >> decision should be made. For example, XMPP and document submission > >> may justify requiring encryption while email and document retrieval > >> might not. > > > > Bingo. There's a perfectly reasonable case to be made for protecting any > > sort > > of authorization/authentication exchange and not allowing alternatives. > > > > But in the case of document distribution, our primary goal should be to > > insure > > maximum availability and access to the information we provide, including > > to those who are unable to whatever reason to use protected services. > > > > And yes, I'm aware of the argument that access to certain standards, > > especially > > ones themselves having to do with security, might be problematic to folks > > living under some repressive regime or other. I don't buy it, mostly > > because that level of paranoia is going to regard any sort of access to > > IETF materials whatsoever as a red flag, especially it was conducted over > > TLS/SSL. > That may be, but that doesn't mean we shouldn't offer privacy of > access to those who want it. I never said we shouldn't offer it. The previous discussion was largley about requiring it. > I think we need to distinguish various > quite separate issues. Off the top of my head, I can see: > * authenticity and integrity of data coming from the IETF site; Your problem here is people get IETF data from many sources besides the IETF site. Indeed, alternative data stores may provide access alternatives for those concerned about being seen accessing IETF data in the obvious way. As a result I don't see how transport security offers a meaningful solution here. We should instead be looking at various signature mechanisms. > * privacy of the fact of access, if the user wants it; Again, there's nothing wrong with offering secure access as an option. Wikipedia is the obvious example of a site that does this. > * preventing access to the IETF site being used as an attack > vector for either the site itself or the remote user > (which indirectly includes protecting the privacy of > personal information held at either end); Certain aspects of this are easy, others are hard, and some are probably research problems. Ned
- Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Fred Baker (fred)
- RE: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Douglas Otis
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Brian E Carpenter
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Scott Brim
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Martin Rex
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Martin Thomson
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Stewart Bryant (stbryant)
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Hector Santos
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services David Morris
- RE: Security for various IETF services Christian Huitema
- RE: Security for various IETF services l.wood
- Re[2]: Security for various IETF services mohammed serrhini
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Randy Bush
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services S Moonesamy
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Brian Trammell
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Spencer Dawkins
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Ted Lemon
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Matthew Kaufman (SKYPE)
- RE: Security for various IETF services Eric Gray
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services Scott Brim
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Phillip Hallam-Baker
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Noel Chiappa
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Steve Crocker
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Phillip Hallam-Baker
- Web of trust at Internet Scale Sam Hartman
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Mark Andrews
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Jelte Jansen
- Re: Security for various IETF services Stephen Kent