Re: [saag] [Pearg] Ten years after Snowden (2013 - 2023), is IETF keeping its promises?

Alan DeKok <aland@deployingradius.com> Thu, 05 January 2023 15:18 UTC

Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Subject: Re: [saag] [Pearg] Ten years after Snowden (2013 - 2023), is IETF keeping its promises?
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CABcZeBPc0r275AiCL=qWTnzFT9PoQ9WMHz+GcmQZG8pgv2dmbw@mail.gmail.com>
Date: Thu, 05 Jan 2023 10:18:00 -0500
Cc: John Mattsson <john.mattsson@ericsson.com>, "ietf@ietf.org" <ietf@ietf.org>, "pearg@irtf.org" <pearg@irtf.org>, Vittorio Bertola <vittorio.bertola@open-xchange.com>, saag <saag@ietf.org>, "hrpc@irtf.org" <hrpc@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4EB76682-E75C-413B-906B-6C5C7404A91C@deployingradius.com>
References: <HE1PR0701MB305098F652DBC34E3C40810B89F49@HE1PR0701MB3050.eurprd07.prod.outlook.com> <764163366.39904.1672842828297@appsuite-gw2.open-xchange.com> <CABcZeBNA_nJ2waQVENUvEXro91wAYOcH0ZxWqbLH4hoKcGkosw@mail.gmail.com> <9658281.42904.1672912808774@appsuite-gw2.open-xchange.com> <CA+9kkMBLiijcAyLYn_6h8z3N00EDaxdP=f7P2-qUt4Bn1iSWEg@mail.gmail.com> <HE1PR0701MB30505DC24A725E014D60FE0189FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <CABcZeBPc0r275AiCL=qWTnzFT9PoQ9WMHz+GcmQZG8pgv2dmbw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/gAwmos_EPQkHLFBIJ5nxQstL2W8>
Precedence: list

On Jan 5, 2023, at 8:58 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 3. Essentially none of these threats are the province of the IETF,
> which defines networking protocols. 

  The output of the IETF is networking protocols.  The input of the IETF is "good will" effort from individuals and corporations.  Corporations whose highest priority is to ship hardware which can run "Flappy Bird" at double the frame rate and resolution of the previous version.

  Witness the experience John and I had trying to update EAP for TLS 1.3.  While NIST published a document in 2019 [1] mandating all government suppliers support TLS 1.3 by 2024, actual "boots on the ground" effort has been lacking.  The afore-mentioned corporations shipping new hardware have been conspicuously absent in all relevant technical discussions.

  i.e. the security of literally billions of devices depended on John, and one highly opinionated Open Source person who isn't being paid to be here.

  We need to do better.

  The work in the IETF is often done by people who are senior enough to be allowed to be involved, or who are independent enough to care.  In many organizations, people with operational and/or implementation experience are often too junior to be allowed to participate.  This has been my experience in many WGs.

   I've been reading all of this discussion about protocols and legislation with a bit of amusement.  I see all that as necessary, but it is not sufficient.  My (and Johns) experience with EAP highlights this.  If we hadn't chosen to do the work, there's a good chance that it either wouldn't have been done, or would have been done too late to meet legislated time frames.

  The IESG and the IAB should take a serious look at which protocols need updating.  They should see which people are allowed to be involved in the IETF, and where in the company they sit.  They should find ways to get more participation from people who have operational and implementation experience.

  Until that happens, the input of the IETF is insufficient "good will" to secure core protocols.  The output of the IETF is window dressing.  The foundation of the Internet is built on sand.

  Alan DeKok.

[1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf

Ten years after Snowden (2013 - 2023), is IETF ke… John Mattsson
Re: Ten years after Snowden (2013 - 2023), is IET… Lloyd W
Re: Ten years after Snowden (2013 - 2023), is IET… Brian E Carpenter
Re: Ten years after Snowden (2013 - 2023), is IET… Phillip Hallam-Baker
Re: Ten years after Snowden (2013 - 2023), is IET… Christian Huitema
Re: [saag] Ten years after Snowden (2013 - 2023),… Dino Farinacci
Re: Ten years after Snowden (2013 - 2023), is IET… Dave Taht
Re: [hrpc] Ten years after Snowden (2013 - 2023),… Adrian Gropper
Re: [saag] Ten years after Snowden (2013 - 2023),… Stewart Bryant
RE: [saag] Ten years after Snowden (2013 - 2023),… Antoine FRESSANCOURT
Re: [saag] Ten years after Snowden (2013 - 2023),… Lloyd W
Re: Ten years after Snowden (2013 - 2023), is IET… Masataka Ohta
Re: [saag] Ten years after Snowden (2013 - 2023),… George Michaelson
Re: [hrpc] Ten years after Snowden (2013 - 2023),… Niels ten Oever
Re: Ten years after Snowden (2013 - 2023), is IET… Vittorio Bertola
Re: Ten years after Snowden (2013 - 2023), is IET… Dave Taht
Re: [saag] Ten years after Snowden (2013 - 2023),… Phillip Hallam-Baker
Re: [hrpc] Ten years after Snowden (2013 - 2023),… Paul Wouters
Re: Ten years after Snowden (2013 - 2023), is IET… Viktor Dukhovni
Re: [saag] Ten years after Snowden (2013 - 2023),… Eric Rescorla
Re: [saag] Ten years after Snowden (2013 - 2023),… Dino Farinacci
Re: [saag] Ten years after Snowden (2013 - 2023),… Dino Farinacci
Re: [saag] Ten years after Snowden (2013 - 2023),… Dino Farinacci
Re: [saag] Ten years after Snowden (2013 - 2023),… Brian E Carpenter
Re: [saag] Ten years after Snowden (2013 - 2023),… Phillip Hallam-Baker
Re: [saag] Ten years after Snowden (2013 - 2023),… Tony Rutkowski
Re: [Pearg] [saag] Ten years after Snowden (2013 … Vittorio Bertola
Re: [Pearg] [saag] Ten years after Snowden (2013 … Ted Hardie
Re: [Pearg] [saag] Ten years after Snowden (2013 … John Mattsson
Re: [saag] [Pearg] Ten years after Snowden (2013 … Tony Rutkowski
Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
Re: [saag] [Pearg] Ten years after Snowden (2013 … Kyle Rose
Re: [Pearg] [saag] Ten years after Snowden (2013 … Eric Rescorla
Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
RE: [Pearg] [saag] Ten years after Snowden (2013 … Antoine FRESSANCOURT
Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
Re: [saag] [Pearg] Ten years after Snowden (2013 … Alan DeKok
Re: [saag] [Pearg] Ten years after Snowden (2013 … Tony Rutkowski
Re: [saag] [Pearg] Ten years after Snowden (2013 … Phillip Hallam-Baker
Re: [EXT] Re: [Pearg] [saag] Ten years after Snow… Vittorio Bertola
Re: [saag] [Pearg] Ten years after Snowden (2013 … Alan DeKok
Re: [Pearg] [saag] Ten years after Snowden (2013 … Dave Taht
Re: [saag] [Pearg] Ten years after Snowden (2013 … Tony Rutkowski
Re: [hrpc] Ten years after Snowden (2013 - 2023),… Stephen Farrell
Re: [saag] Ten years after Snowden (2013 - 2023),… Dino Farinacci
Re: [Pearg] [saag] Ten years after Snowden (2013 … Deen, Glenn (NBCUniversal)
Re: [hrpc] [saag] [Pearg] Ten years after Snowden… bzs
Re: [saag] Ten years after Snowden (2013 - 2023),… Phillip Hallam-Baker
Re: [saag] Ten years after Snowden (2013 - 2023),… Dino Farinacci
Re: [hrpc] [saag] [Pearg] Ten years after Snowden… Laurence Lundblade
Re: [Pearg] [saag] Ten years after Snowden (2013 … Mark Nottingham
Re: [hrpc] Ten years after Snowden (2013 - 2023),… Abdussalam Baryun
Re: [hrpc] [saag] [Pearg] Ten years after Snowden… Abdussalam Baryun
Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
Re: [hrpc] [saag] [Pearg] Ten years after Snowden… Laurence Lundblade
Re: [saag] Ten years after Snowden (2013 - 2023),… Stewart Bryant
Re: [saag] Ten years after Snowden (2013 - 2023),… Stewart Bryant
Re: [saag] Ten years after Snowden (2013 - 2023),… Stewart Bryant
Re: [saag] Ten years after Snowden (2013 - 2023),… Brian E Carpenter
Re: [saag] Ten years after Snowden (2013 - 2023),… Kyle Rose
Re: [saag] Ten years after Snowden (2013 - 2023),… Phillip Hallam-Baker
Re: [saag] Ten years after Snowden (2013 - 2023),… Phillip Hallam-Baker
Re: [hrpc] [Pearg] [saag] Ten years after Snowden… Adrian Gropper
Re: [saag] Ten years after Snowden (2013 - 2023),… Dino Farinacci
Re: [saag] [hrpc] [Pearg] Ten years after Snowden… Tony Rutkowski
times square 15 sec delay new years Dave Taht
Re: [Pearg] [saag] Ten years after Snowden (2013 … Vittorio Bertola
Re: [saag] [Pearg] Ten years after Snowden (2013 … Alec Muffett
Re: [saag] [Pearg] Ten years after Snowden (2013 … Tony Rutkowski
Re: [saag] [Pearg] Ten years after Snowden (2013 … Alec Muffett
Re: [Pearg] [saag] Ten years after Snowden (2013 … Mark Nottingham
Re: [hrpc] [Pearg] [saag] Ten years after Snowden… Vittorio Bertola
Re: [hrpc] [Pearg] [saag] Ten years after Snowden… Ted Lemon
Re: [saag] [Pearg] Ten years after Snowden (2013 … Phillip Hallam-Baker
Re: [hrpc] [Pearg] [saag] Ten years after Snowden… Phillip Hallam-Baker
Re: [saag] [Pearg] Ten years after Snowden (2013 … Tony Rutkowski
Re: [Pearg] times square 15 sec delay new years Jens Finkhaeuser
Re: [Pearg] times square 15 sec delay new years Jens Finkhaeuser
Re: [saag] Ten years after Snowden (2013 - 2023),… Kyle Rose
Re: [Pearg] times square 15 sec delay new years Lloyd W
Re: [saag] [Pearg] Ten years after Snowden (2013 … Phillip Hallam-Baker
Re: [saag] [Pearg] Ten years after Snowden (2013 … Tony Rutkowski
Re: [saag] [Pearg] Ten years after Snowden (2013 … Lloyd W
Re: [saag] [Pearg] Ten years after Snowden (2013 … Phillip Hallam-Baker
Re: [saag] [Pearg] Ten years after Snowden (2013 … Keith Moore
Re: [saag] [hrpc] [Pearg] Ten years after Snowden… Masataka Ohta
Re: Re: [saag] [hrpc] [Pearg] Ten years after Sno… wanzerbusi
Re: [saag] Ten years after Snowden (2013 - 2023),… Masataka Ohta
Re: [Pearg] [saag] Ten years after Snowden (2013 … Fernando Gont
Re: [Pearg] [saag] Ten years after Snowden (2013 … Luigi Iannone