Re: A report on certain standards (was Re: United Nations report on Internet standards)

[Stephane Bortzmeyer <bortzmeyer@nic.fr>]

On Fri, Mar 20, 2020 at 10:57:31AM +0000,
 Wout de Natris <denatrisconsult@hotmail.nl> wrote 
 a message of 238 lines which said:

> The topic of choice became deployment of internet standards:
> e.g. DNSSEC, RPKI and BCP38, but also the OWASP top 10, ISO 27001
> and secure software;

Yes, the choice of ISO 27001 is strange. It is not an "Internet
standard" in any way, and it is just a set of bureaucratic rules,
without relationship with actual security.

> Others involve people with knowledge, i.e. your community, to assist
> in translating new standards into layman's speech and in
> dissemination to non-technical communities.

Many IETF participants already do it. The report contains zero idea on
how to do it better or more broadly. (The fact that the report does
not mention that outreach must be done in the local language is a
weakness.)

But the report has other weaknesses:

* there are several unsubstantiated claims such as "some standards,
e.g. DNSSEC, may not have been thought through sufficiently". But
there is no detail: which problems do you see with DNSSEC? How to
improve it? IETF would like to create a 4033-bis with problems fixed.

* the report uses the very common narrative "The protocols or internet
standards, in other words were created without security in mind. At
best it was considered, after which it was decided security would not
be a priority. All the standards that are discussed here can in a way
be seen as digital band aids, fixing what only in hindsight was
flawed." I suggest that you read RFC 5218 for a good criticism of the
cliché "protocole should be designed with security in mind". Even now,
with the knowledge we have, designing secure systems is hard.

* the report keeps to the very outdated claim that there are two sort
of standards, official ones and the others. It even pretends that ISO
is more "official". That's not true. Except for the rare cases where a
law mandates such or such standard (which is not the case of ISO
27001, at least in my country), whether a standard is issued by IETF,
W3C, ISO or whatever, it is a standard, period.

* the report contains several criticisms without any
counter-arguments. For instance, "None of these organisations [the
RIRs] have tools to retract these resources when abused or otherwise
used in wrong ways."  The report seems to ignore that it would be
pointless: a RIR can withdraw an allocation, it will still be used,
and impossible to re-allocate. (RPKI may change that.)

* another example where the report is technically questionable is when
it says "create a new internet. Work on this solution is actually
being carried out and published on". (Which is substantiated by a
reference to the Cerre report which, itself, mentions RINA and SCION,
which says a lot about its credibility.)

> To focus not only on the technicians that have to deploy physically,
> but on those who can influence decisions to deploy and those
> deciding on the financial and resource wherewithal to deploy. Many
> participants, including IETF active, agreed that steps outside of
> the technical realm are necessary for these standards -and not only
> the IETF ones as you could see- to be deployed in a serious way,
> making all internet users more secure immediately and
> indiscriminately. Ideally without primarily government involvement.

The report is also problematic in what it does not mention. It is
silent about political disagreements. If encryption took so long to be
deployed, it was not because of technical issues but because several
important stakehoders activery resisted, because they want to ability
do conduct surveillance. No amount of outreach will make people adopt
a technical standard which goes against their interests. The tussle is
unavoidable.