Re: Security for various IETF services

Tim Bray <tbray@textuality.com> Sat, 05 April 2014 17:29 UTC

Return-Path: <tbray@textuality.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B29CB1A045A for <ietf@ietfa.amsl.com>; Sat, 5 Apr 2014 10:29:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nA_Xq6ECm2cX for <ietf@ietfa.amsl.com>; Sat, 5 Apr 2014 10:29:41 -0700 (PDT)
Received: from mail-ve0-f171.google.com (mail-ve0-f171.google.com [209.85.128.171]) by ietfa.amsl.com (Postfix) with ESMTP id DCD151A0211 for <ietf@ietf.org>; Sat, 5 Apr 2014 10:29:40 -0700 (PDT)
Received: by mail-ve0-f171.google.com with SMTP id jy13so2386703veb.2 for <ietf@ietf.org>; Sat, 05 Apr 2014 10:29:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4i7mNTbc6ovtyGMwOTeZSwfHepNq/qkNh4c4+2FpxNU=; b=c+6oKxatdUngkFhDlYIwk5BpAXErTYHCV/45F00EtarO85sibx6BRnTZFzocCbbdgE GHBbvYdzU2Wi8GdhupWpCPCOyGYR4xZ6X4N0YBUedPvCz1wrmbcQqJmnMMJApuvb3niQ Mp/vTjJpsT3QRYgRhg7NZ/qlR95zEwyCRAauhrJPftApGpGy4JEhe53uR6RJlLu5Hn8E xvR3hVOr3P9yBsnKDd0KRRPNovmhWA4EFp01VcbRxmejx+UXDst7kOmrD1SkuP3FHt1k SdEWt2eC7eSfQuKjOf5UdrtQEGjIWQCejYmrLPPHVv0RnrfayE6goBchtL1nRsXJJIUy yUsw==
X-Gm-Message-State: ALoCoQn4x6SKRwwAxtpPSyZVAATQ0FudtYCH1vQgnngbuEt6XufOMVnFYxXkTkx6tc4ATbr0wVH/
X-Received: by 10.58.38.166 with SMTP id h6mr951151vek.22.1396718975773; Sat, 05 Apr 2014 10:29:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.98.73 with HTTP; Sat, 5 Apr 2014 10:29:15 -0700 (PDT)
X-Originating-IP: [24.84.235.32]
In-Reply-To: <27993A73-491B-4590-9F37-0C0D369B4C6F@cisco.com>
References: <533D8A90.60309@cs.tcd.ie> <533EEF35.7070901@isdg.net> <27993A73-491B-4590-9F37-0C0D369B4C6F@cisco.com>
From: Tim Bray <tbray@textuality.com>
Date: Sat, 5 Apr 2014 10:29:15 -0700
Message-ID: <CAHBU6iuX8Y8VCgkY1Qk+DEPEgN2=DWbNEWVffyVmmP_3qmmmig@mail.gmail.com>
Subject: Re: Security for various IETF services
To: "Stewart Bryant (stbryant)" <stbryant@cisco.com>
Content-Type: multipart/alternative; boundary=089e013a0d4067050d04f64efab5
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/XImAchpYuGIh-2d8nzU9G1SvdUQ
Cc: The IESG <iesg@ietf.org>, IETF-Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Apr 2014 17:29:46 -0000

On Sat, Apr 5, 2014 at 1:50 AM, Stewart Bryant (stbryant) <
stbryant@cisco.com> wrote:

> Please confirm that "friendly" implies that the user gets to
> choose the degree of security privacy that they consider
> appropriate, and that their applications and devices are not
> encumbered  with the overheads unless they choose to invoke
> the privacy and security mechanisms.

Here, I think, is a key issue.  I disagree with Stewart.  WHAT?!  How can I
possibly disagree with
​user choice?  Because, a huge majority of people

(a) aren’t aware that there is a choice to be made, and shouldn’t need to be
(b) do not understand the technical issues surrounding the choice, and
shouldn’t have to
(c) do not understand the legal/policy issues surrounding the choice, and
shouldn’t have to

This includes both the people who use online services and the people who
offer them.  Thus, the only sane ethical position is to operate in a mode
that is private by default, because the consequences of a negative failure
(the user really didn’t need privacy but got it anyhow) are immensely less
damaging than the consequences of a positive failure (the user really
needed privacy but didn’t get it).

​Yes, it is certainly desirable that for those who are in the unusual
position of being confident that they understand the technical and policy
issues, they be given the option of choosing to operate in plain-text
anyone-can-MITM anyone-can-eavesdrop mode.  But saying that the needs of
that very small and specialized group of people should trump the interests
of the vast majority who shouldn’t have to understand or worry about where
privacy is appropriate and how to provide it; that seems bizarre to me.

So yeah, please turn the IETF’s public-facing offerings over into
private-by-default mode. It’s the only ethical course of action.  -T