Re: Security for various IETF services

Stewart Bryant <stbryant@cisco.com> Mon, 07 April 2014 09:40 UTC

Return-Path: <stbryant@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94DC61A06CD; Mon, 7 Apr 2014 02:40:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.51
X-Spam-Level:
X-Spam-Status: No, score=-9.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3yfl0wZm5F0; Mon, 7 Apr 2014 02:40:21 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) by ietfa.amsl.com (Postfix) with ESMTP id C72DA1A06CA; Mon, 7 Apr 2014 02:40:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6799; q=dns/txt; s=iport; t=1396863616; x=1398073216; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to; bh=ZmR/cPumouiWecs8kh5lRDpmAmdtK2n9DA/XArGul8I=; b=k4D0cqMthcjxSjhVJ6st29y/1JOSmID6bRzrfgcDKH+PcARi8bSR6lXl KQ8CIgIdxUeBZ4mZVIISaLMg0+j4UO7Jg1aC6L0JonhZKyt3BBrr5djtw w5SzpBd4JHVZTor9uG3ifVFDG07+GAe8jVWEzqCDuIrggcbxTr59Vao2O A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhgFAAJyQlOQ/khN/2dsb2JhbABZgwaEHMEQgSEWdIIlAQEBAwEjVgULCQIOCgkeAwICDwI1EQYNAQUCAQEWh1cIjQ2cGIVZnD4XjiNOB4JvgUkEmFuGUYtugzE
X-IronPort-AV: E=Sophos;i="4.97,809,1389744000"; d="scan'208,217";a="9741947"
Received: from ams-core-4.cisco.com ([144.254.72.77]) by aer-iport-3.cisco.com with ESMTP; 07 Apr 2014 09:40:14 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s379eD1Y011744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 7 Apr 2014 09:40:14 GMT
Received: from [127.0.0.1] (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id s379e6Z3028735; Mon, 7 Apr 2014 10:40:08 +0100 (BST)
Message-ID: <53427277.30707@cisco.com>
Date: Mon, 07 Apr 2014 10:40:07 +0100
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Tim Bray <tbray@textuality.com>
Subject: Re: Security for various IETF services
References: <533D8A90.60309@cs.tcd.ie> <533EEF35.7070901@isdg.net> <27993A73-491B-4590-9F37-0C0D369B4C6F@cisco.com> <CAHBU6iuX8Y8VCgkY1Qk+DEPEgN2=DWbNEWVffyVmmP_3qmmmig@mail.gmail.com>
In-Reply-To: <CAHBU6iuX8Y8VCgkY1Qk+DEPEgN2=DWbNEWVffyVmmP_3qmmmig@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010907060306060300010901"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/_v0pbSnpc6QdIodtN6CkdjZC5Ew
Cc: The IESG <iesg@ietf.org>, IETF-Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 09:40:26 -0000

On 05/04/2014 18:29, Tim Bray wrote:
> On Sat, Apr 5, 2014 at 1:50 AM, Stewart Bryant (stbryant) 
> <stbryant@cisco.com <mailto:stbryant@cisco.com>> wrote:
>
> > Please confirm that "friendly" implies that the user gets to
> > choose the degree of security privacy that they consider
> > appropriate, and that their applications and devices are not
> > encumbered  with the overheads unless they choose to invoke
> > the privacy and security mechanisms.
>
> Here, I think, is a key issue.  I disagree with Stewart.  WHAT?!  How 
> can I possibly disagree with
> ​user choice?  Because, a huge majority of people
>
> (a) aren’t aware that there is a choice to be made, and shouldn’t need 
> to be
> (b) do not understand the technical issues surrounding the choice, and 
> shouldn’t have to
> (c) do not understand the legal/policy issues surrounding the choice, 
> and shouldn’t have to
>
> This includes both the people who use online services and the people 
> who offer them.  Thus, the only sane ethical position is to operate in 
> a mode that is private by default, because the consequences of a 
> negative failure (the user really didn’t need privacy but got it 
> anyhow) are immensely less damaging than the consequences of a 
> positive failure (the user really needed privacy but didn’t get it).
I could be persuaded towards "crypto by default", but I hear in these 
discussions "crypto as an exclusive mode", and I do not think that is an 
acceptable constraint on implementations.

Privacy and authentication always ends up taking CPU, memory and 
bandwidth, which in turn costs money, silicon, power, weight and 
complexity. If a specific application requires privacy and or 
authentication, then fine, but each case needs to be examined on its own 
merits. Now you may say "ah but we are getting so much better at the 
engineering that who cares about such things", to which I would point 
out that such thinking stunts our ability to build things that are 
orders of magnitude smaller, lighter, cheaper and more power efficient 
than we can conceive of oday.

So please, let's not react to the recent news on spying, by creating a 
security religion that in the end hurts us even more that the problem we 
are reacting to.

Stewart