Re: On email and web security

IETF Chair <chair@ietf.org> Wed, 30 December 2015 22:19 UTC

Return-Path: <chair@ietf.org>
X-Original-To: ietf@ietf.org
Delivered-To: ietf@ietfa.amsl.com
Received: from [10.30.0.131] (unknown [83.150.71.93]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPSA id 153EC1B29B7; Wed, 30 Dec 2015 14:19:13 -0800 (PST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Subject: Re: On email and web security
From: IETF Chair <chair@ietf.org>
In-Reply-To: <304F200F-CF0B-4C23-91F9-BFC06C41BDA8@cisco.com>
Date: Thu, 31 Dec 2015 00:19:09 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <4E442EDD-6E06-40F3-ACFE-33119B737AF9@ietf.org>
References: <304F200F-CF0B-4C23-91F9-BFC06C41BDA8@cisco.com>
To: "Fred Baker (fred)" <fred@cisco.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/FKNydcAyKKfrKvzS8eF8BZplmfM>
Cc: "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2015 22:19:15 -0000

Thanks for the comments, Fred, and I agree.

In particular I agree that we need a better and more coherent
security architecture. Not necessarily as a way to cut the other
flowers but as a model of how to do things securely.

And I agree about privacy being an inherent part of security.

And I agree about using our own tools as an organisation, but
with a caveat. When we worked on, say, HTTP/2, we didn’t do
that for the sake of our own website. We did it for the sake
for major content providers and most popular web browsers.
If what we worked on in privacy didn’t work for the IETF or
us individually, it would be very weird. But it also cannot be
the only goal, we have to share minds with major current
or potential users of the technology. What would those be
in the e-mail case, and kinds of things are they likely
to need? Having a good answer to those questions is
probably as important as having all of us turn on particular
forms of security in our individual communications.

(I should probably insert a reminder that even in e-mail
there are actually many subproblems and and aspects.
End-to-end content protection is just one. But both my
discussion above and yours Fred were focused on the
end-to-end part.)

Jari