Re: [Iotops] [arch-d] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 07 December 2020 22:50 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 833283A0C06 for <iotops@ietfa.amsl.com>; Mon, 7 Dec 2020 14:50:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3JWd4Ncym8Ib for <iotops@ietfa.amsl.com>; Mon, 7 Dec 2020 14:50:57 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 877F83A0C03 for <iotops@ietf.org>; Mon, 7 Dec 2020 14:50:57 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 676D7389B1; Mon, 7 Dec 2020 17:53:05 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id QdLhGOrR7VOc; Mon, 7 Dec 2020 17:53:04 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id CEBE8389AE; Mon, 7 Dec 2020 17:53:04 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 29FEC48F; Mon, 7 Dec 2020 17:50:56 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: iotops@ietf.org, architecture-discuss@iab.org
In-Reply-To: <CAGJRHzD7GhgXhgz69sNHqsN=GCZR37Y3Ysa25--NRbgWyyATSA@mail.gmail.com>
References: <f8486514-9726-68d0-2bc8-dccd4293017e@cs.tcd.ie> <DM6PR14MB317843CA2B3D67F6660F4F0DD7F10@DM6PR14MB3178.namprd14.prod.outlook.com> <127BB8C9-679E-48C1-8617-C6092AEE9914@fugue.com> <DM6PR14MB3178C1F8B6E4FD6E9FD9C8C4D7F10@DM6PR14MB3178.namprd14.prod.outlook.com> <8E6EB6FF-E83B-44B5-A0A2-7499678DC6B6@fugue.com> <DM6PR14MB317817FD62369A8E0FF93CA8D7F10@DM6PR14MB3178.namprd14.prod.outlook.com> <77363965-99A5-4790-B40B-011827C8D113@fugue.com> <80F697E4-B225-49E0-8271-CDAB66E42A95@cisco.com> <m2zh2sktty.wl-randy@psg.com> <277E5229-EFCC-4758-B4F6-6B159212BA14@ambotec.org> <20201207091854.GD44833@faui48f.informatik.uni-erlangen.de> <CACgrgBa+JMDBWWBotfQeJMc=LMbkH+JbkbQ_YkXS4GuccnbrVA@mail.gmail.com> <CAGJRHzD7GhgXhgz69sNHqsN=GCZR37Y3Ysa25--NRbgWyyATSA@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 07 Dec 2020 17:50:56 -0500
Message-ID: <2741.1607381456@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/w5eTozC3l1o3vNF_nWXLk-nYFME>
Subject: Re: [Iotops] [arch-d] How old is too old and what this means for product lifecycles? Re: [Last-Call] [TLS] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 22:51:00 -0000
Sávyo Vinícius <savyovm@gmail.com> wrote: > I really believe in the efficacy of an open source-based approach, but > there is a long way to develop a consistent framework (including community, > regulation, best practices, and other relevant stuff) to do it. > Still in this context, regulatory approaches need much attention because > they can be restrictive to those companies, and contribute to more > bankruptcies. http://geer.tinho.net/geer.blackhat.6viii14.txt and https://www.blackhat.com/us-14/video/cybersecurity-as-realpolitik.html What can the IETF do? Mostly what we are already doing, which is to make it cheaper and easier to build products where the clients and the servers don't have to be vertically integrated. ... some text to tease you into going to read/listen-to the whole thing: 3. Source code liability -- CHOICE Nat Howard said that "Security will always be exactly as bad as it can possibly be while allowing everything to still function,"[NH] but with each passing day, that "and still function" clause requires a higher standard. As Ken Thompson told us in his Turing Award lecture, there is no technical escape;[KT] in strict mathematical terms you neither trust a program nor a house unless you created it 100% yourself, but in reality most of us will trust a house built by a suitably skilled professional, usually we will trust it more than one we had built ourselves, and this even if we have never met the builder, or even if he is long since dead. The reason for this trust is that shoddy building work has had that crucial "or else ..." clause for more than 3700 years: If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death. -- Code of Hammurabi, approx 1750 B.C. Today the relevant legal concept is "product liability" and the fundamental formula is "If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes." For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer. Poul-Henning Kamp and I have a strawman proposal for how software liability regulation could be structured. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Iotops] How old is too old and what this means f… Eliot Lear
- Re: [Iotops] How old is too old and what this mea… Ted Lemon
- Re: [Iotops] How old is too old and what this mea… Randy Bush
- Re: [Iotops] How old is too old and what this mea… Ted Lemon
- Re: [Iotops] How old is too old and what this mea… Randy Bush
- Re: [Iotops] How old is too old and what this mea… Ted Lemon
- Re: [Iotops] How old is too old and what this mea… Randy Bush
- Re: [Iotops] How old is too old and what this mea… Randy Bush
- Re: [Iotops] [arch-d] How old is too old and what… Eric Rescorla
- Re: [Iotops] [arch-d] How old is too old and what… Randy Bush
- Re: [Iotops] [arch-d] How old is too old and what… Christian Huitema
- Re: [Iotops] How old is too old and what this mea… Amyas Phillips
- Re: [Iotops] How old is too old and what this mea… Eliot Lear
- Re: [Iotops] How old is too old and what this mea… Toerless Eckert
- Re: [Iotops] [arch-d] How old is too old and what… Henning Schulzrinne
- Re: [Iotops] [arch-d] How old is too old and what… Sávyo Vinícius
- Re: [Iotops] [arch-d] How old is too old and what… Randy Bush
- Re: [Iotops] [arch-d] How old is too old and what… Toerless Eckert
- Re: [Iotops] [arch-d] How old is too old and what… Michael Richardson
- Re: [Iotops] [arch-d] How old is too old and what… Michael Richardson
- Re: [Iotops] [arch-d] How old is too old and what… Sávyo Vinícius
- Re: [Iotops] How old is too old and what this mea… Randy Bush
- Re: [Iotops] How old is too old and what this mea… Eliot Lear