RE: Security for various IETF services

<l.wood@surrey.ac.uk> Sat, 05 April 2014 13:41 UTC

Return-Path: <l.wood@surrey.ac.uk>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C00671A0182 for <ietf@ietfa.amsl.com>; Sat, 5 Apr 2014 06:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWhy6iHqxTPv for <ietf@ietfa.amsl.com>; Sat, 5 Apr 2014 06:41:11 -0700 (PDT)
Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.171]) by ietfa.amsl.com (Postfix) with ESMTP id 3D96C1A017A for <ietf@ietf.org>; Sat, 5 Apr 2014 06:41:11 -0700 (PDT)
Received: from [85.158.137.99:25758] by server-11.bemta-3.messagelabs.com id 61/24-19438-1F700435; Sat, 05 Apr 2014 13:41:05 +0000
X-Env-Sender: l.wood@surrey.ac.uk
X-Msg-Ref: server-8.tower-217.messagelabs.com!1396705264!14082871!1
X-Originating-IP: [131.227.200.43]
X-StarScan-Received:
X-StarScan-Version: 6.11.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 18559 invoked from network); 5 Apr 2014 13:41:05 -0000
Received: from exht022p.surrey.ac.uk (HELO EXHT022P.surrey.ac.uk) (131.227.200.43) by server-8.tower-217.messagelabs.com with AES128-SHA encrypted SMTP; 5 Apr 2014 13:41:05 -0000
Received: from EXMB01CMS.surrey.ac.uk ([169.254.1.150]) by EXHT022P.surrey.ac.uk ([131.227.200.43]) with mapi; Sat, 5 Apr 2014 14:41:04 +0100
From: <l.wood@surrey.ac.uk>
To: <hsantos@isdg.net>, <rwfranks@acm.org>
Date: Sat, 5 Apr 2014 14:40:17 +0100
Subject: RE: Security for various IETF services
Thread-Topic: Security for various IETF services
Thread-Index: Ac9Q0g1ZWIrNnh4nRLeyP8py/UzDdAAAodTT
Message-ID: <290E20B455C66743BE178C5C84F1240847E779EEBF@EXMB01CMS.surrey.ac.uk>
References: <533D8A90.60309@cs.tcd.ie> <533EEF35.7070901@isdg.net> <CAKW6Ri5_Ty6rVsMTBKXEjC6r7Mg-o8pZoLQP+yJ4pBwqOF-nYw@mail.gmail.com> <533F0C7B.9090705@isdg.net> <CAKW6Ri699AuEOf-qf-iZ7vNdD7iEdF4uEnwX-HGB31EshJ_OXQ@mail.gmail.com>, <53400355.7030807@isdg.net>
In-Reply-To: <53400355.7030807@isdg.net>
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/c88rejkdLwEepyVLpD8i-NYIa1w
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Apr 2014 13:41:16 -0000

"I didn't see anything that stood out. Are you referring to his why
question?  Really?  It seems others answered why."

they did not.

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: ietf [ietf-bounces@ietf.org] On Behalf Of Hector Santos [hsantos@isdg.net]
Sent: 05 April 2014 14:21
To: Dick Franks
Cc: IETF-Discussion
Subject: Re: Security for various IETF services

On 4/4/2014 4:12 PM, Dick Franks wrote:
>
>        Stephen asked about the last sentence:
>
>        New services will however generally only be made
>        available in ways that use security protocols such as
>        TLS.
>
> Which to my eye looks like a conclusion;  without shred of
> justification and before any meaningful discussion has taken place.

I don't see anything odd about the statement. My input, once again and
I'll leave it at this, there might be 'new services' where the IETF
has no "legal" OR "Security Audit" choice but to provide it in secured
only mode and thus, for those who need to get access MUST be updated
with modern software client access tools that support such security,
not just TLS.   The IETF lawyer should determine if they must comply
with PCI/DSS security audits.  Thats all. It wasn't difficult.

Of course, where it isn't needed, its common sense to keep legacy
access for the old timers to access it via their own means or tools.
  That includes me with various simple access tools, in particular, a
non-SSL FTP scripting tool for quick command line download of RFC
files from the IETF ftp site.  If that was made SSL only, we would
have to update the script. I don't have time for that so it would
"break something" for me.

> 26 messages on and the consensus thus far is that an answer to Lloyd
> Wood's one-liner is very much required.

I didn't see anything that stood out. Are you referring to his why
question?  Really?  It seems others answered why.

Thanks for your comments.

--
HLS