Re: A report on certain standards (was Re: United Nations report on Internet standards)
Stephane Bortzmeyer <bortzmeyer@nic.fr> Fri, 27 March 2020 08:13 UTC
Return-Path: <stephane@sources.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7CB3A0042 for <ietf@ietfa.amsl.com>; Fri, 27 Mar 2020 01:13:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KD4GL6OHxc4r for <ietf@ietfa.amsl.com>; Fri, 27 Mar 2020 01:13:10 -0700 (PDT)
Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [92.243.4.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C587E3A078C for <ietf@ietf.org>; Fri, 27 Mar 2020 01:13:09 -0700 (PDT)
Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id E3F4BA0093; Fri, 27 Mar 2020 09:13:06 +0100 (CET)
Received: by mail.sources.org (Postfix, from userid 1000) id 2C6A4CA7E8; Fri, 27 Mar 2020 09:10:20 +0100 (CET)
Date: Fri, 27 Mar 2020 09:10:20 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Wout de Natris <denatrisconsult@hotmail.nl>
Cc: "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: A report on certain standards (was Re: United Nations report on Internet standards)
Message-ID: <20200327081020.GC14620@sources.org>
References: <AM0PR05MB6564247B76BE9434E87D1A90C2F50@AM0PR05MB6564.eurprd05.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <AM0PR05MB6564247B76BE9434E87D1A90C2F50@AM0PR05MB6564.eurprd05.prod.outlook.com>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 10.3
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/_cXp9uDdgR4PNod4X1I637_1QAA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2020 08:13:12 -0000
On Fri, Mar 20, 2020 at 10:57:31AM +0000, Wout de Natris <denatrisconsult@hotmail.nl> wrote a message of 238 lines which said: > The topic of choice became deployment of internet standards: > e.g. DNSSEC, RPKI and BCP38, but also the OWASP top 10, ISO 27001 > and secure software; Yes, the choice of ISO 27001 is strange. It is not an "Internet standard" in any way, and it is just a set of bureaucratic rules, without relationship with actual security. > Others involve people with knowledge, i.e. your community, to assist > in translating new standards into layman's speech and in > dissemination to non-technical communities. Many IETF participants already do it. The report contains zero idea on how to do it better or more broadly. (The fact that the report does not mention that outreach must be done in the local language is a weakness.) But the report has other weaknesses: * there are several unsubstantiated claims such as "some standards, e.g. DNSSEC, may not have been thought through sufficiently". But there is no detail: which problems do you see with DNSSEC? How to improve it? IETF would like to create a 4033-bis with problems fixed. * the report uses the very common narrative "The protocols or internet standards, in other words were created without security in mind. At best it was considered, after which it was decided security would not be a priority. All the standards that are discussed here can in a way be seen as digital band aids, fixing what only in hindsight was flawed." I suggest that you read RFC 5218 for a good criticism of the cliché "protocole should be designed with security in mind". Even now, with the knowledge we have, designing secure systems is hard. * the report keeps to the very outdated claim that there are two sort of standards, official ones and the others. It even pretends that ISO is more "official". That's not true. Except for the rare cases where a law mandates such or such standard (which is not the case of ISO 27001, at least in my country), whether a standard is issued by IETF, W3C, ISO or whatever, it is a standard, period. * the report contains several criticisms without any counter-arguments. For instance, "None of these organisations [the RIRs] have tools to retract these resources when abused or otherwise used in wrong ways." The report seems to ignore that it would be pointless: a RIR can withdraw an allocation, it will still be used, and impossible to re-allocate. (RPKI may change that.) * another example where the report is technically questionable is when it says "create a new internet. Work on this solution is actually being carried out and published on". (Which is substantiated by a reference to the Cerre report which, itself, mentions RINA and SCION, which says a lot about its credibility.) > To focus not only on the technicians that have to deploy physically, > but on those who can influence decisions to deploy and those > deciding on the financial and resource wherewithal to deploy. Many > participants, including IETF active, agreed that steps outside of > the technical realm are necessary for these standards -and not only > the IETF ones as you could see- to be deployed in a serious way, > making all internet users more secure immediately and > indiscriminately. Ideally without primarily government involvement. The report is also problematic in what it does not mention. It is silent about political disagreements. If encryption took so long to be deployed, it was not because of technical issues but because several important stakehoders activery resisted, because they want to ability do conduct surveillance. No amount of outreach will make people adopt a technical standard which goes against their interests. The tussle is unavoidable.
- United Nations report on Internet standards Vittorio Bertola
- Re: United Nations report on Internet standards Eliot Lear
- Re: United Nations report on Internet standards JORDI PALET MARTINEZ
- Re: United Nations report on Internet standards Keith Moore
- Re: United Nations report on Internet standards Joel M. Halpern
- Re: United Nations report on Internet standards Kyle Rose
- Re: United Nations report on Internet standards Keith Moore
- Re: United Nations report on Internet standards Keith Moore
- Re: United Nations report on Internet standards Vittorio Bertola
- Re: United Nations report on Internet standards Khaled Omar
- Re: United Nations report on Internet standards Paul Hoffman
- Re: United Nations report on Internet standards Khaled Omar
- A report on certain standards (was Re: United Nat… Andrew Sullivan
- Re: United Nations report on Internet standards Warren Kumari
- Re: A report on certain standards (was Re: United… Randy Bush
- Re: A report on certain standards (was Re: United… John Levine
- Re: A report on certain standards (was Re: United… Scott O. Bradner
- Re: A report on certain standards (was Re: United… Wout de Natris
- Re: A report on certain standards (was Re: United… S. Moonesamy
- Re: United Nations report on Internet standards Fred Baker
- Re: United Nations report on Internet standards Jaap Akkerhuis
- Re: United Nations report on Internet standards Scott Weeks
- Re: United Nations report on Internet standards Pete Resnick
- Re: United Nations report on Internet standards Stephane Bortzmeyer
- Re: United Nations report on Internet standards Stephane Bortzmeyer
- RE: United Nations report on Internet standards Andrew Alston
- Re: A report on certain standards (was Re: United… Stephane Bortzmeyer
- Re: United Nations report on Internet standards Joseph Potvin
- Re: United Nations report on Internet standards Michael Richardson
- Re: United Nations report on Internet standards Brian E Carpenter
- RE: United Nations report on Internet standards Larry Masinter
- Re: United Nations report on Internet standards Stephane Bortzmeyer
- Re: United Nations report on Internet standards Fred Baker
- Re: United Nations report on Internet standards Keith Moore