Re: Security for various IETF services
John C Klensin <john-ietf@jck.com> Fri, 04 April 2014 13:04 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A8D1A0182 for <ietf@ietfa.amsl.com>; Fri, 4 Apr 2014 06:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01, T_TVD_FUZZY_SECURITIES=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iV58LE7RxSdH for <ietf@ietfa.amsl.com>; Fri, 4 Apr 2014 06:04:21 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) by ietfa.amsl.com (Postfix) with ESMTP id 044341A0169 for <ietf@ietf.org>; Fri, 4 Apr 2014 06:04:19 -0700 (PDT)
Received: from [198.252.137.115] (helo=JcK-HP8200.jck.com) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1WW3mt-000DFa-5R; Fri, 04 Apr 2014 09:04:03 -0400
Date: Fri, 04 Apr 2014 09:03:58 -0400
From: John C Klensin <john-ietf@jck.com>
To: Randall Gellens <randy@qti.qualcomm.com>, Pranesh Prakash <pranesh@cis-india.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, IETF-Discussion <ietf@ietf.org>
Subject: Re: Security for various IETF services
Message-ID: <2A0E1EB4BED37EB84AEF66E0@JcK-HP8200.jck.com>
In-Reply-To: <p06240605cf63c268e7df@[99.111.97.136]>
References: <533D8A90.60309@cs.tcd.ie> <533DF52E.5020707@cis-india.org> <p06240605cf63c268e7df@[99.111.97.136]>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.115
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/T9tZ_L3WIj8Xjb3JEdTmQh7SKP0
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 13:04:26 -0000
--On Thursday, April 03, 2014 19:00 -0700 Randall Gellens <randy@qti.qualcomm.com> wrote: > At 7:56 PM -0400 4/3/14, Pranesh Prakash wrote: > >>> However, as there are numerous legacy tools that have been >>> built that require access via cleartext >> >> Could you please expand on this? What kinds of legacy tools >> is that statement talking about? > > I have a number of tools and scripts that access IETF and RFC > Editor documents and information using HTTP and FTP. I do too and more with FTP than HTTP. This is not just being old and set in my ways (age being both the tools and about me). Many of the tools that use HTTP can't make up their minds (or need special handling) to deliver an XML file to me rather that deciding they "really" know what I intend and trying to render/interpret it, while FTP always does what it is told and retrieves the d**m file. My preferred reading tools for I-Ds and RFCs and my preferred editing tools for I-Ds involve an emacs clone text editor. It provides a very satisfactory solution, a range of paging and text tools, a satisfactory XML editing experience, and a largely platform-independent consistent interface. Given that, I'm loathe to seek out and learn something new and shiny and, having looked around, I'm not convinced that doing so would bring any real benefit. More important from the security front, although, in this case, it more a matter of principle than a serious concern, it is none of the IETF's, or anyone else's, business what files I retrieve and when. I don't want to be authenticated unless there is a demonstrated and persuasive need that gets community consensus; I don't want logs kept at all; and, by the way, I don't want web beacons in my mail from IETF lists because some future genius decides that better service could be provided by analyzing what is read and when. In addition, if I want to set up caches for documents (or even shadows of directories) or trick routing, whether to protect my privacy, improve performance, or because I'm perverse. I don't think the IETF should be "helping" me and someone else's perception of what security issues I think (or should think) are important by getting in the way (with SSL/TLS or anything else). IMO, the IESG needs to carefully consider whether better privacy and security, especially for access to public documents, lies in more anonymity and openness rather than in more restrictive and powerful tools whose side-effects may be to compromise that anonymity. The answer will inevitably be different for different cases, but these knee-jerk "need more security" reactions are just bad systems engineering. Finally, like (I assume) many others here, I don't have a lot of spare time on my hands [1]. Time that goes into following one of these procedural threads, questions from the IAOC, etc., is time that doesn't get spent on substantive work for the IETF. So I really wish that the IESG and IAOC would keep their responsibility for facilitating getting technical/ standards work around here in the front of their minds and ask themselves (and maybe each other) hard questions about relative importance of each of their trial balloons and inquiries. john p.s. I also agree with most of Dave Crocker's recent analyses and comments. That is becoming a scary trend :-) Any time someone needs to think about or discuss data retention policies, security of logs, or the like, I think we first need to have a discussion of why we need to collect the data in the first place. [1] Sorry, I type rapidly enough that it doesn't predict to messages that are so short and pointed as to seem cryptic. But I am sending a lot fewer of them.
- Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Fred Baker (fred)
- RE: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Douglas Otis
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Fred Baker (fred)
- Re: Security for various IETF services Brian E Carpenter
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Scott Brim
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Randy Bush
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Martin Rex
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Hector Santos
- Re: Security for various IETF services Dick Franks
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Pranesh Prakash
- Re: Security for various IETF services Martin Thomson
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Stewart Bryant (stbryant)
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Hector Santos
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services ned+ietf
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services David Morris
- RE: Security for various IETF services Christian Huitema
- RE: Security for various IETF services l.wood
- Re[2]: Security for various IETF services mohammed serrhini
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Randy Bush
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services S Moonesamy
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Brian Trammell
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services John C Klensin
- Re: Security for various IETF services Spencer Dawkins
- Re: Security for various IETF services Stewart Bryant
- Re: Security for various IETF services Ted Lemon
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services Matthew Kaufman (SKYPE)
- RE: Security for various IETF services Eric Gray
- Re: Security for various IETF services t.p.
- Re: Security for various IETF services Scott Brim
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Dick Franks
- Re: Security for various IETF services Phillip Hallam-Baker
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Stephen Farrell
- RE: Security for various IETF services l.wood
- RE: Security for various IETF services l.wood
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Yoav Nir
- Re: Security for various IETF services Noel Chiappa
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Tim Bray
- Re: Security for various IETF services Steve Crocker
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Randall Gellens
- Re: Security for various IETF services Dave Crocker
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Stephen Farrell
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Ted Lemon
- Re: Security for various IETF services Phillip Hallam-Baker
- Re: Security for various IETF services Phillip Hallam-Baker
- Web of trust at Internet Scale Sam Hartman
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Dave Cridland
- Re: Security for various IETF services Mark Andrews
- Re: Security for various IETF services Theodore Ts'o
- Re: Security for various IETF services Jelte Jansen
- Re: Security for various IETF services Stephen Kent