Re: Security for various IETF services

Dave Crocker <> Fri, 04 April 2014 02:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DAE2D1A0056 for <>; Thu, 3 Apr 2014 19:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 79zVfJulMod4 for <>; Thu, 3 Apr 2014 19:04:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 733A41A0055 for <>; Thu, 3 Apr 2014 19:04:34 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id s3424Pcl025825 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 3 Apr 2014 19:04:28 -0700
Message-ID: <>
Date: Thu, 03 Apr 2014 19:02:39 -0700
From: Dave Crocker <>
Organization: Brandenburg InternetWorking
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Brian E Carpenter <>,
Subject: Re: Security for various IETF services
References: <> <> <p06240601cf639cb2113b@[]> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 ( []); Thu, 03 Apr 2014 19:04:29 -0700 (PDT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Apr 2014 02:04:39 -0000

On 4/3/2014 5:26 PM, Brian E Carpenter wrote:
> I think we need to distinguish various
> quite separate issues. Off the top of my head, I can see:

What I like most about Brian's list is that it seeks to gain some 
discipline an clarity about what might be done and why.  As Ned's 
responses shows, this requires even more clarity and -- depending on 
what answers we give -- different difficulty.

On 4/3/2014 5:29 PM, Randy Bush wrote:
 > because we blew it way back when, by designing a completely insecure
 > and un-private internet.  as supposedly responsible and occasionally
 > competent engineers, we should rectify our mistakes.

This promotes a collection of popular myths which both give a false 
history and a false (and counter-productively distracting) present.

The presumption that 'security' was ignored "way back" is simply wrong. 
  Both in the 70s and again in the 90s, security issues were given 
attention.  In the 70s, the primary answer was encryption boxes, for 
those special cases deem to need them.  In terms of the technology of 
the day, when combined with the nature of the scale and use of the 
Arpanet and eventually Internet, that was a reasonable choice.

In the 90s, we got PEM, PGP, S/MIME and the beginnings of DNSSec.

The experience of the 90s nicely highlights the problem with the second 
myth, that we merely needed to 'decide' to do 'security'.  As the 
increasing list of problematic security-related efforts over the last 25 
years demonstrate, doing 'security' for Internet scale and diversity is 
a challenge, often appearing to be beyond the state of the art.

Note how little DNSSec we still have.  Note how little PGP and S/MIME 
use we still have.  All three of those were diligent, reasonable design 
efforts.  Yet their deployment and use remains problematic.

Added to this is that the word 'security' is almost completely 
meaningless in technical terms.  For most technical discussions, it's so 
vague there's no way to know what specific problems are of concern or 
what functions are intended.

So please, let's focus on the kind of disciplined, targeted effort that 
Brian is promoting to consider needs and solutions, and move away from 

Dave Crocker
Brandenburg InternetWorking