RE: Security for various IETF services

<l.wood@surrey.ac.uk> Fri, 04 April 2014 22:59 UTC

Return-Path: <l.wood@surrey.ac.uk>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD8341A025A for <ietf@ietfa.amsl.com>; Fri, 4 Apr 2014 15:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FvXddYE2OPu for <ietf@ietfa.amsl.com>; Fri, 4 Apr 2014 15:59:45 -0700 (PDT)
Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.163]) by ietfa.amsl.com (Postfix) with ESMTP id 60D1A1A0267 for <ietf@ietf.org>; Fri, 4 Apr 2014 15:59:45 -0700 (PDT)
Received: from [85.158.137.99:34573] by server-3.bemta-3.messagelabs.com id 5C/7A-05289-C593F335; Fri, 04 Apr 2014 22:59:40 +0000
X-Env-Sender: l.wood@surrey.ac.uk
X-Msg-Ref: server-6.tower-217.messagelabs.com!1396652378!14266223!1
X-Originating-IP: [131.227.200.35]
X-StarScan-Received:
X-StarScan-Version: 6.11.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 11731 invoked from network); 4 Apr 2014 22:59:38 -0000
Received: from exht021p.surrey.ac.uk (HELO EXHT021P.surrey.ac.uk) (131.227.200.35) by server-6.tower-217.messagelabs.com with AES128-SHA encrypted SMTP; 4 Apr 2014 22:59:38 -0000
Received: from EXMB01CMS.surrey.ac.uk ([169.254.1.150]) by EXHT021P.surrey.ac.uk ([131.227.200.35]) with mapi; Fri, 4 Apr 2014 23:59:37 +0100
From: <l.wood@surrey.ac.uk>
To: <rwfranks@acm.org>, <hsantos@isdg.net>
Date: Fri, 4 Apr 2014 23:58:46 +0100
Subject: RE: Security for various IETF services
Thread-Topic: Security for various IETF services
Thread-Index: Ac9QQl0SJK7e4cRARV+uyHxqXlLYwQAFxI8w
Message-ID: <290E20B455C66743BE178C5C84F1240847E779EEBB@EXMB01CMS.surrey.ac.uk>
References: <533D8A90.60309@cs.tcd.ie> <533EEF35.7070901@isdg.net> <CAKW6Ri5_Ty6rVsMTBKXEjC6r7Mg-o8pZoLQP+yJ4pBwqOF-nYw@mail.gmail.com> <533F0C7B.9090705@isdg.net>, <CAKW6Ri699AuEOf-qf-iZ7vNdD7iEdF4uEnwX-HGB31EshJ_OXQ@mail.gmail.com>
In-Reply-To: <CAKW6Ri699AuEOf-qf-iZ7vNdD7iEdF4uEnwX-HGB31EshJ_OXQ@mail.gmail.com>
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/iSXpB4e2mOBIkrFICJXXitaWJ5s
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 22:59:49 -0000

I haven't had an answer to my questions from Stephen.

"nonetheless access to that data
should use best practices for security and privacy."

why?

" New services will however generally only be made
available in ways that use security protocols such as
TLS."

again, why?


"Because... SECURITY!" would not be a good answer.

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: ietf [ietf-bounces@ietf.org] On Behalf Of Dick Franks [rwfranks@acm.org]
Sent: 04 April 2014 21:12
To: Hector Santos
Cc: IETF-Discussion
Subject: Re: Security for various IETF services

On 4 April 2014 20:48, Hector Santos <hsantos@isdg.net<mailto:hsantos@isdg.net>> wrote:

Everyone else has already touch based with the same issues.

 Silence could easily be misconstrued as acceptance.

[snip]
  Stephen asked about the last sentence:

  New services will however generally only be made
  available in ways that use security protocols such as
  TLS.

Which to my eye looks like a conclusion;  without shred of justification and before any meaningful discussion has taken place.


26 messages on and the consensus thus far is that an answer to Lloyd Wood's one-liner is very much required.