Re: Call for comment: draft-iab-strint-report-02.txt
Eliot Lear <lear@cisco.com> Wed, 03 June 2015 20:48 UTC
Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9EC01B2B11 for <ietf@ietfa.amsl.com>; Wed, 3 Jun 2015 13:48:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZPx-UFS9UOM for <ietf@ietfa.amsl.com>; Wed, 3 Jun 2015 13:48:54 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3E111B2B04 for <ietf@ietf.org>; Wed, 3 Jun 2015 13:48:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8093; q=dns/txt; s=iport; t=1433364533; x=1434574133; h=message-id:date:from:mime-version:to:subject:references: in-reply-to; bh=CNBK9bKxjynWr10tqFxv60qouv/yRzYmqDc5k1rCNZg=; b=QI/vGfYlK/4BAc2fnquedZJphTC5Hlq4J4hKNljFmeHhPoeVzlhvkpWD ORD5Ilfi/QgRDl3aw8DW1WvYAXp+6nB5ymzrdErBtrD6rhorkN+tiYpc9 8T/L5guAmxZDy0/ek+j1QrHE98pxIFIhOe9S6AT196WvQ7oevOarXwtAz 0=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DVAwDWZ29V/xbLJq1bg2Regx67OgmBWoV3AoF/FAEBAQEBAQGBCoQiAQEBAwEdBlUGCwkCGAkWCwICCQMCAQIBNBETBgIBAYghCA2aV50Zo2cBAQgCARsEikGBAoEjg2qCaIFFAQSVKIFEh0eBLoNzgl6PRSSDejwxAYJGAQEB
X-IronPort-AV: E=Sophos;i="5.13,548,1427760000"; d="asc'?scan'208,217";a="503524324"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP; 03 Jun 2015 20:48:49 +0000
Received: from [10.61.169.54] ([10.61.169.54]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id t53KmniL019027 for <ietf@ietf.org>; Wed, 3 Jun 2015 20:48:49 GMT
Message-ID: <556F682F.8050707@cisco.com>
Date: Wed, 03 Jun 2015 22:48:47 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: Call for comment: draft-iab-strint-report-02.txt
References: <168135BA-8F49-440F-B0BE-D529692F543E@iab.org>
In-Reply-To: <168135BA-8F49-440F-B0BE-D529692F543E@iab.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="TKsbp3FLePfndL9NjLITwoIEU2Wk28okK"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/EwcF1wQgfLzYaOha5yY9yx5RAug>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 20:48:56 -0000
Hi, I would suggest that this document is pretty close to ready, but not quite ready. The language/tone and some of the content of the report really needs a lot of tightening up, and the record is not entirely accurate. Here are a few "for instances". Regarding hotel networking, the draft states: “It seems some protocol is missing in this case.” The presentation given was all about the challenges of how protocols like WISPR rely upon clear text. The problem is that the portal can't intercept HTTP and pose the question to the user without a security warning popping up (if it works at all). The whole point was that in the face of encryption a mechanism is needed to authorize users onto such networks, and that is what should be stated. In on-by-default we discussed, for instance, a more nuanced approach where there might be some protocols where it would be absolutely the case that one would never want unencrypted traffic (SCIM was an example), and others where some of the challenges of encryption would make it not worthwhile (we discussed discovery protocols, as I recall). That was to be part of follow-on work (part of the draft that was mentioned). Another example, “Hopefully, they supervise their security better than...” Either they do or they don't. But the phrasing of that is a bit off. And I'm not entirely sure what "supervise their security" means, but I do know what "expending effort in securing their offering" means. On this statement: > Lack of interoperability between systems is in itself a threat as it > leads to work-arounds and compromises that may be less secure. It's not lack of interoperability that's the threat but poorly thought out workarounds. In the cyberinsurance market it is interoperability that is the threat (not the lack thereof) because it increases the risk of a catastrophic loss. The whole tie-in to epidemiological modeling and cybersecurity is based on this fact (one of our luminaries was notoriously fired from a company when he pointed out the risks of a monoculture which is inherently interoperable (he's still around- they're not ;-)). I'll stop there for now, but really the report could use more a few**more eyes. Eliot On 6/3/15 8:30 PM, IAB Chair wrote: > Dear colleagues, > > This is an announcement of an IETF-wide Call for Comment on > draft-iab-strint-report-02.txt. > > The document is being considered for publication as an Informational RFC > within the IAB stream, and is available for inspection here: > https://www.ietf.org/id/draft-iab-strint-report-02.txt > > The Call for Comment will last until 2015-07-01. Please send comments to > iab@iab.org. > > Best regards, > Andrew Sullivan > IAB chair > On behalf of the IAB > > >