RE: Security for various IETF services

<l.wood@surrey.ac.uk> Mon, 07 April 2014 00:37 UTC

Return-Path: <l.wood@surrey.ac.uk>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10FE61A0552 for <ietf@ietfa.amsl.com>; Sun, 6 Apr 2014 17:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLyxhzXm3GOU for <ietf@ietfa.amsl.com>; Sun, 6 Apr 2014 17:37:22 -0700 (PDT)
Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9F43D1A00EC for <ietf@ietf.org>; Sun, 6 Apr 2014 17:37:22 -0700 (PDT)
Received: from [85.158.137.99:24174] by server-12.bemta-3.messagelabs.com id 06/77-14831-C33F1435; Mon, 07 Apr 2014 00:37:16 +0000
X-Env-Sender: l.wood@surrey.ac.uk
X-Msg-Ref: server-15.tower-217.messagelabs.com!1396831035!17158276!1
X-Originating-IP: [131.227.200.43]
X-StarScan-Received:
X-StarScan-Version: 6.11.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10864 invoked from network); 7 Apr 2014 00:37:16 -0000
Received: from exht022p.surrey.ac.uk (HELO EXHT022P.surrey.ac.uk) (131.227.200.43) by server-15.tower-217.messagelabs.com with AES128-SHA encrypted SMTP; 7 Apr 2014 00:37:16 -0000
Received: from EXMB01CMS.surrey.ac.uk ([169.254.1.150]) by EXHT022P.surrey.ac.uk ([131.227.200.43]) with mapi; Mon, 7 Apr 2014 01:37:15 +0100
From: <l.wood@surrey.ac.uk>
To: <huitema@microsoft.com>, <ietf@ietf.org>
Date: Mon, 7 Apr 2014 01:35:38 +0100
Subject: RE: Security for various IETF services
Thread-Topic: Security for various IETF services
Thread-Index: AQHPT1jcTXDUfJOah0OH2ltCrxPwgZsEwa4AgAB5wwCAAATOIIAAE6e/
Message-ID: <290E20B455C66743BE178C5C84F1240847E779EEC5@EXMB01CMS.surrey.ac.uk>
References: <533D8A90.60309@cs.tcd.ie> <53417832.90405@cs.tcd.ie> <alpine.LRH.2.01.1404061602580.14892@egate.xpasc.com>, <ecabb0a4080548d99ab083c0ff0c27ee@BLUPR03MB424.namprd03.prod.outlook.com>
In-Reply-To: <ecabb0a4080548d99ab083c0ff0c27ee@BLUPR03MB424.namprd03.prod.outlook.com>
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/j1spyzigSGBoBzyfnP_cePwPmVA
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 00:37:27 -0000

https://datatracker.ietf.org/wg/perpass/
that's a lot of drafts.

and yet perpass is still not a WG with formal process and charter? Odd, that.

Knee-jerk reactions are not good things.

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: ietf [ietf-bounces@ietf.org] On Behalf Of Christian Huitema [huitema@microsoft.com]
Sent: 07 April 2014 00:30
To: ietf@ietf.org
Subject: RE: Security for various IETF services

> I agree with those who've said a threat analysis is needed before
> deciding access is limited to TLS or other secure alternative.

But we have that threat analysis, and the recommended mitigation is precisely "encrypt everything." The "pervasive monitoring" threat is analyzed by a number of perpass drafts, and Stephen has merely followed the conclusions of that analysis. There is no need to repeat that analysis for each and every tool that the IETF produces, and there is indeed a need for the IETF as a whole to "lead by example."

-- Christian Huitema