RE: Security for various IETF services

<l.wood@surrey.ac.uk> Thu, 03 April 2014 21:21 UTC

Return-Path: <l.wood@surrey.ac.uk>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD5781A02AF for <ietf@ietfa.amsl.com>; Thu, 3 Apr 2014 14:21:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxQTA9dc9B72 for <ietf@ietfa.amsl.com>; Thu, 3 Apr 2014 14:21:16 -0700 (PDT)
Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.173]) by ietfa.amsl.com (Postfix) with ESMTP id C06151A02A4 for <ietf@ietf.org>; Thu, 3 Apr 2014 14:21:15 -0700 (PDT)
Received: from [195.245.230.131:19405] by server-13.bemta-3.messagelabs.com id 1A/4C-18692-6C0DD335; Thu, 03 Apr 2014 21:21:10 +0000
X-Env-Sender: l.wood@surrey.ac.uk
X-Msg-Ref: server-14.tower-78.messagelabs.com!1396560070!23709763!1
X-Originating-IP: [131.227.200.39]
X-StarScan-Received:
X-StarScan-Version: 6.11.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 20804 invoked from network); 3 Apr 2014 21:21:10 -0000
Received: from exht012p.surrey.ac.uk (HELO EXHT012P.surrey.ac.uk) (131.227.200.39) by server-14.tower-78.messagelabs.com with AES128-SHA encrypted SMTP; 3 Apr 2014 21:21:10 -0000
Received: from EXMB01CMS.surrey.ac.uk ([169.254.1.150]) by EXHT012P.surrey.ac.uk ([131.227.200.39]) with mapi; Thu, 3 Apr 2014 22:21:09 +0100
From: l.wood@surrey.ac.uk
To: stephen.farrell@cs.tcd.ie, ietf@ietf.org
Date: Thu, 03 Apr 2014 22:18:06 +0100
Subject: RE: Security for various IETF services
Thread-Topic: Security for various IETF services
Thread-Index: Ac9PWOTvs71UBGOqTsyzT3b1lZ7UEwAKU/Xc
Message-ID: <290E20B455C66743BE178C5C84F1240847E779EEB6@EXMB01CMS.surrey.ac.uk>
References: <533D8A90.60309@cs.tcd.ie>
In-Reply-To: <533D8A90.60309@cs.tcd.ie>
Accept-Language: en-US, en-GB
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-GB
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/k2KesyFLX8yRoVztIWh9njxO8E8
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 21:21:21 -0000

"nonetheless access to that data
should use best practices for security and privacy."

why?

" New services will however generally only be made
available in ways that use security protocols such as
TLS."

again, why?

secured access is limited access, which is counter
to the goal of an open Internet.

thanks

Lloyd Wood
http://about.me/lloydwood
________________________________________
From: ietf [ietf-bounces@ietf.org] On Behalf Of Stephen Farrell [stephen.farrell@cs.tcd.ie]
Sent: 03 April 2014 17:21
To: IETF-Discussion
Subject: Security for various IETF services

Hi all,

>From time to time the issue of how to secure IETF services
comes up e.g. whether to turn on TLS for some IETF web server
or jabber or mail etc.

The most recent such was a request to turn on HSTS [1] for
the IETF web site, which I don't think we can do without
breaking old tools etc. Nonetheless we would like to turn
on things like TLS more often going forward as seemed to
me to be the outcome of a long thread on here late last
year.

So, the IESG are considering the following as an IESG
statement to offer some guidance about this:

"The IETF are committed to providing secure and privacy
friendly access to information via the web, mail, jabber
and other services. While most (but not all) data on IETF
services is public, nonetheless access to that data
should use best practices for security and privacy.
However, as there are numerous legacy tools that have been
built that require access via cleartext, the IETF will
continue to allow such access so as not to break such
tooling. New services will however generally only be made
available in ways that use security protocols such as
TLS."

If you have wordsmithing changes to suggest please just send
those to me or the iesg. More substantive comments should go
here I guess. I hope the only bit worth discussing (except
for the few folks who would rather we do none of this;-)
might be the last sentence.

A few weeks after any discussion here dies down I'll put the
resulting text on an IESG telechat for approval if that seems
like the right thing to do.

Thanks,
S

[1] https://tools.ietf.org/html/rfc6797