Re: Bruce Schneier's Proposal to dedicate November meeting to saving the Internet from the NSA

[SM <sm@resistor.net>]

At 20:32 05-09-2013, Vinayak Hegde wrote:
>While it is nice to do a dedication of this meeting to the SA 
>surveillance, I do not see us solving any issue here. It is merely a 
>"feel-good" measure without real impact.

:-)

>Second, technology can never fix what is essentially a political 
>problem. for eg. We mandate strong security protocols and end-to-end 
>encryption in HTTP(S) by default. Lets

In a Last Call comment a few months ago it was mentioned that a 
specification takes the stance that security is an optional 
feature.  I once watched a Security Area Director spend thirty 
minutes trying to explain to a working group that security feature 
should be implemented.  If I recall correctly the working group was 
unconvinced.

Would the community raise it as an issue during a Last Call if a 
proposed protocol did not have strong security features?  It's up to 
the reader to determine the answer to that.

>  assume all browsers implement this and do this perfectly without 
> software flaws. All the NSA has to do is to compromise the other 
> endpoint (controlled by ACME major corp). ACME gives over the 
> encryption keys and access to all the unencrypted data to the NSA. So now

Yes.

>  what are we going to do. The IETF can make an political statement 
> by taking a stand but that may mean nothing in reality when the 
> laws are weak. Another example is when you have

Taking a stand that means nothing is a feel-good measure.

>  encrypted your drive and do not want to hand over the keys as it 
> has some personal (and possibly incriminating evidence). In several 
> countries you can be held in jail indefinitely (with obvious 
> renewals of sentences) until you hand the keys over[1]. So in 
> summary, technology cannot solve political and legal issues. At 
> best it can make it harder. But in this case maybe not even that.

The IETF outlook does not apply in several countries.  The IETF does 
not seem to pay much attention to that details (re. hand the 
keys).  It's not clear what the emergency is.  Phillip Hallam-Baker 
and Brian Carpenter already mentioned that it's not like this is a surprise.

According to a news article key architects of the Internet plan to 
fight back by drawing a plan to defend against state-sponsored 
surveillance.  Anyway, if someone really wanted to call for an 
emergency response the person would have sent it to an IETF mailing list.

At 20:08 05-09-2013, Ted Lemon wrote:
>I think we all knew NSA was collecting the data.   Why didn't we do 
>something about it sooner?   Wasn't it an emergency when the PATRIOT 
>act was passed?   We certainly thought it was an emergency back in 
>the days of Skipjack, but then they convinced us we'd won.   Turns 
>out they just went around us.

I would describe it as a scuffle instead of a battle.  My guess is 
that the IETF did not do anything sooner as nobody knows what to do, 
or it may be that the IETF has become conservative and it does not 
pay attention to the minority report.

At 23:04 05-09-2013, Jari Arkko wrote:
>I think we should seize this opportunity to take a hard look at what 
>we can do better.

:-)

>And please do not think about all this just in terms of the recent 
>revelations. The

That's an interesting perspective.

>  security in the Internet is still a challenge, and if there are 
> improvements they will be generally useful for many reasons and for 
> many years to come. Perhaps this year's discussions are our ticket 
> to motivate the world to move from "by default insecure" 
> communications to "by default secure". Publicity and motivation are 
> important, too.

Yes.

Regards,
-sm