@EXT: RE: A report on certain standards (was United Nations report on Internet standards)

["Marcolla, Sara Veronica" <Sara.Marcolla@europol.europa.eu>]

I read your points, and if I may add another issue to the list: governments are not monolithic actors in this field. 

Different branches of any given government might not be perfectly aligned on the priorities to follow. However, technical engagement of government representatives - without 'special treatment' happens, and quite fruitfully for all parties involved - for example at RIR levels. Of course, discussions there might be a notch less technical in a strict sense, but policy considerations, security considerations, and public safety considerations have increasingly found places in RIR policy developments thanks to governments investing time and effort: nobody lives in isolation, and we should learn improved ways of cooperation indeed. 


Kind regards,

Sara Marcolla

Europol - O3 European Cyber Crime Centre (EC3)
www.europol.europa.eu



-----Original Message-----
From: ietf <ietf-bounces@ietf.org> On Behalf Of Stephane Bortzmeyer
Sent: 27 March 2020 09:10
To: Wout de Natris <denatrisconsult@hotmail.nl>
Cc: ietf@ietf.org
Subject: Re: A report on certain standards (was Re: United Nations report on Internet standards)

On Fri, Mar 20, 2020 at 10:57:31AM +0000,  Wout de Natris <denatrisconsult@hotmail.nl> wrote  a message of 238 lines which said:

> The topic of choice became deployment of internet standards:
> e.g. DNSSEC, RPKI and BCP38, but also the OWASP top 10, ISO 27001 and 
> secure software;

Yes, the choice of ISO 27001 is strange. It is not an "Internet standard" in any way, and it is just a set of bureaucratic rules, without relationship with actual security.

> Others involve people with knowledge, i.e. your community, to assist 
> in translating new standards into layman's speech and in dissemination 
> to non-technical communities.

Many IETF participants already do it. The report contains zero idea on how to do it better or more broadly. (The fact that the report does not mention that outreach must be done in the local language is a
weakness.)

But the report has other weaknesses:

* there are several unsubstantiated claims such as "some standards, e.g. DNSSEC, may not have been thought through sufficiently". But there is no detail: which problems do you see with DNSSEC? How to improve it? IETF would like to create a 4033-bis with problems fixed.

* the report uses the very common narrative "The protocols or internet standards, in other words were created without security in mind. At best it was considered, after which it was decided security would not be a priority. All the standards that are discussed here can in a way be seen as digital band aids, fixing what only in hindsight was flawed." I suggest that you read RFC 5218 for a good criticism of the cliché "protocole should be designed with security in mind". Even now, with the knowledge we have, designing secure systems is hard.

* the report keeps to the very outdated claim that there are two sort of standards, official ones and the others. It even pretends that ISO is more "official". That's not true. Except for the rare cases where a law mandates such or such standard (which is not the case of ISO 27001, at least in my country), whether a standard is issued by IETF, W3C, ISO or whatever, it is a standard, period.

* the report contains several criticisms without any counter-arguments. For instance, "None of these organisations [the RIRs] have tools to retract these resources when abused or otherwise used in wrong ways."  The report seems to ignore that it would be
pointless: a RIR can withdraw an allocation, it will still be used, and impossible to re-allocate. (RPKI may change that.)

* another example where the report is technically questionable is when it says "create a new internet. Work on this solution is actually being carried out and published on". (Which is substantiated by a reference to the Cerre report which, itself, mentions RINA and SCION, which says a lot about its credibility.)

> To focus not only on the technicians that have to deploy physically, 
> but on those who can influence decisions to deploy and those deciding 
> on the financial and resource wherewithal to deploy. Many 
> participants, including IETF active, agreed that steps outside of the 
> technical realm are necessary for these standards -and not only the 
> IETF ones as you could see- to be deployed in a serious way, making 
> all internet users more secure immediately and indiscriminately. 
> Ideally without primarily government involvement.

The report is also problematic in what it does not mention. It is silent about political disagreements. If encryption took so long to be deployed, it was not because of technical issues but because several important stakehoders activery resisted, because they want to ability do conduct surveillance. No amount of outreach will make people adopt a technical standard which goes against their interests. The tussle is unavoidable.


*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

*******************