RE: Security for various IETF services Thu, 03 April 2014 23:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 26B8E1A03AA for <>; Thu, 3 Apr 2014 16:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vhURAjUSmOOr for <>; Thu, 3 Apr 2014 16:48:24 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 72B981A0210 for <>; Thu, 3 Apr 2014 16:48:24 -0700 (PDT)
Received: from by (PMDF V6.1-1 #35243) id <> for; Thu, 3 Apr 2014 16:43:20 -0700 (PDT)
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET=iso-8859-1; format=flowed
Received: from by (PMDF V6.1-1 #35243) id <> (original mail from for; Thu, 3 Apr 2014 16:43:15 -0700 (PDT)
Message-id: <>
Date: Thu, 03 Apr 2014 16:35:41 -0700 (PDT)
Subject: RE: Security for various IETF services
In-reply-to: "Your message dated Thu, 03 Apr 2014 16:24:29 -0700" <p06240601cf639cb2113b@[]>
References: <> <> <p06240601cf639cb2113b@[]>
To: Randall Gellens <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Apr 2014 23:48:29 -0000

> My reaction is also to ask "Why?"  Security and privacy involve
> trade-offs where various costs (including operational difficulty) are
> weighed against the benefits, such as protecting information from
> unauthorized disclosure or modification.  So, I'd suggest that a
> blanket statement isn't a good idea, but rather, a service-by-service
> decision should be made.  For example, XMPP and document submission
> may justify requiring encryption while email and document retrieval
> might not.

Bingo. There's a perfectly reasonable case to be made for protecting any sort
of authorization/authentication exchange and not allowing alternatives.

But in the case of document distribution, our primary goal should be to insure
maximum availability and access to the information we provide, including
to those who are unable to whatever reason to use protected services.

And yes, I'm aware of the argument that access to certain standards, especially
ones themselves having to do with security, might be problematic to folks
living under some repressive regime or other. I don't buy it, mostly
because that level of paranoia is going to regard any sort of access to
IETF materials whatsoever as a red flag, especially it was conducted over