IETF Logo Mail Archive

Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

Patrik Fältström <paf@frobbit.se> Sat, 07 September 2013 06:24 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0925921F9E63 for <ietf@ietfa.amsl.com>; Fri, 6 Sep 2013 23:24:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PFv7od1VFUF for <ietf@ietfa.amsl.com>; Fri, 6 Sep 2013 23:24:21 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) by ietfa.amsl.com (Postfix) with ESMTP id BDAD721F9E68 for <ietf@ietf.org>; Fri, 6 Sep 2013 23:24:17 -0700 (PDT)
Received: from [IPv6:2a02:80:3ffc::dd2b:b3ff:f370:25b7] (unknown [IPv6:2a02:80:3ffc:0:dd2b:b3ff:f370:25b7]) by mail.frobbit.se (Postfix) with ESMTPSA id 7F41F24020; Sat, 7 Sep 2013 08:24:14 +0200 (CEST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_E70F6EA6-A114-48FE-89A4-6870B9A7D5D8"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Subject: Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA
From: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <CAHBU6itwDc8DiY4B_2GGe0xWZ3Zs_ctx3BkKkzdGTZT2PfgMkA@mail.gmail.com>
Date: Sat, 07 Sep 2013 08:24:14 +0200
Message-Id: <FB7E866F-25C1-46AD-9ABC-45DE775401F9@frobbit.se>
References: <alpine.BSF.2.00.1309051743130.47262@hiroshima.bogus.com> <52293197.1060809@gmail.com> <5C7FECAB-8A22-4AF1-B023-456458E1B288@nominum.com> <522949C2.8010206@gmail.com> <52294C6D.7090206@gmail.com> <m2ppsmzgs5.wl%randy@psg.com> <5229686A.5090308@gmail.com> <31078634-5AEA-4FC9-80A8-2E77650BA530@piuha.net> <20130906072539.GJ5700@besserwisser.org> <9AC2A86F-250C-4B3C-B9BA-8DF44C937B41@nominum.com> <20130906210638.GC3428@besserwisser.org> <158C3418-AE87-4843-BFD5-3E2AC3495631@virtualized.org> <CAHBU6itwDc8DiY4B_2GGe0xWZ3Zs_ctx3BkKkzdGTZT2PfgMkA@mail.gmail.com>
To: Tim Bray <tbray@textuality.com>
X-Mailer: Apple Mail (2.1508)
Cc: Måns Nilsson <mansaxel@besserwisser.org>, "ietf@ietf.org list" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2013 06:24:22 -0000

On 7 sep 2013, at 00:02, Tim Bray <tbray@textuality.com> wrote:

> How about a BCP saying conforming implementations of a wide-variety of security-area RFCs MUST be open-source?
> 
> *ducks*

Well, there is something in there that makes sense.

We do have a program in the world called Common Criteria. That certification program includes CCRA (CC Recognition Agreement) that implies that countries that run certification agencies agree that what is certified in one country by one such certification agency is also viewed as certified in all countries.

This makes it possible to go also with closed source items to one such certification agency and get it certified according to a specification.

Now, there are of course (at least) two weaknesses in this:

1. A certification must be against some certification testing. That is not an RFC, but the test itself might though refer to RFCs as for example "a router" is quite complicated and it is specifically important to know it does not do MORE things than what is specified in the certification testing specification.

2. How do one know that the certification agency is not lying.

But I think this (or something similar) is still the best we can do and/or possibly what we should do.

Also with open source software that "claim to implement gPGP" :-)

   Patrik

v2.23.0 | Report a Bug | By Email