Re: [Pearg] [saag] Ten years after Snowden (2013 - 2023), is IETF keeping its promises?
Tony Rutkowski <trutkowski.netmagic@gmail.com> Thu, 05 January 2023 16:00 UTC
Return-Path: <trutkowski.netmagic@gmail.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CCFDC14CE30; Thu, 5 Jan 2023 08:00:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pLOws6KSSePl; Thu, 5 Jan 2023 08:00:19 -0800 (PST)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67E89C14CE3F; Thu, 5 Jan 2023 08:00:19 -0800 (PST)
Received: by mail-qt1-x830.google.com with SMTP id x11so30224977qtv.13; Thu, 05 Jan 2023 08:00:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:references:cc:to :content-language:subject:reply-to:user-agent:mime-version:date :message-id:from:from:to:cc:subject:date:message-id:reply-to; bh=XjxCE4CwYFUg3Q0EKdSp+9K+6/DlqdJiFKr9OvuCFHs=; b=d991GIt5FzJnEmy9GTHn1JORpxLnt/2v9UqcPB49bzaCtn3zHvKrsYuiXJeogZ66rp AlI0j8pQd+q2qQlZkw1w+IywfrDmlL4g+fGH5jIqUAdxTW9+UyD4U3g/c/P7JFVkaGnz n85+W5INbZ1WcGSIIisKsrlqf2G0GKnd950iE0CUyPT6aBU3PzcCWwCHM6CjI6fNhsY7 q0PzmKXAHnBf9+Ob/AR7tKhRit80tPYPMVNXEz/xSirzyYklnPH9FxLunepps8os08QX 4gpRCDEC9h6motmUqYap7iMVeqeusX3smtykkvQUKcgCBIeGcvTrll1e+4bX9Jj0HdwL cKuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:references:cc:to :content-language:subject:reply-to:user-agent:mime-version:date :message-id:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XjxCE4CwYFUg3Q0EKdSp+9K+6/DlqdJiFKr9OvuCFHs=; b=fS6PNSTkw4W2FoYZYtOvf3tMTQcTNaHqA+c2caC9UIVsV5u0Jqv67XLLlGVmRred6I GayFQWIE+wSQQiY1ZlDswRuTh/rv+xJ1eHXiCfekg8Jc9tc0w++Tb9pHeCX0pQNNEDdb 9ogWZytE6s6X7PrUBnUch+Jy5fyLbKnFGOvhJgCssxz+ONPoH0agiv+U7c1htS4kireg uMSpkhhMUoYAt9W/LMampUwAEOWnf2CCl8+NYEfiPvlJNy4eUD74yLYXSP0qFqm6gJl6 lg7KD0ycc+HLdm3NRV1u1aqYvPLaOzOJJl8p/JxrI/3a6lAnuz90+e/E/OppIdiZQv8w 6OEg==
X-Gm-Message-State: AFqh2kpFC4NZmxROn4XAwQ6ql7hCNPUWogZaf9BUCoFe46na6N2Bkc0q yWxXkLUmn7buFS5dzi+PzsFONrywRUY=
X-Google-Smtp-Source: AMrXdXvzbQM9RycTL9nM/kgyoNolREKqMgccxE6Wdi3C9UT+/ytXEl4FGXa9fxNz8A1z8/dOS8NPXw==
X-Received: by 2002:a05:622a:5c10:b0:3ab:7d29:2f96 with SMTP id gd16-20020a05622a5c1000b003ab7d292f96mr61606455qtb.40.1672934418444; Thu, 05 Jan 2023 08:00:18 -0800 (PST)
Received: from [192.168.1.249] (pool-70-106-222-156.clppva.fios.verizon.net. [70.106.222.156]) by smtp.gmail.com with ESMTPSA id bi1-20020a05620a318100b006f7ee901674sm25821250qkb.2.2023.01.05.08.00.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 05 Jan 2023 08:00:18 -0800 (PST)
From: Tony Rutkowski <trutkowski.netmagic@gmail.com>
X-Google-Original-From: Tony Rutkowski <trutkowski@netmagic.com>
Message-ID: <7ab59bd6-9457-e639-943d-83210ebeb068@netmagic.com>
Date: Thu, 05 Jan 2023 11:00:17 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Reply-To: trutkowski@netmagic.com
Content-Language: en-US
To: Alan DeKok <aland@deployingradius.com>, Eric Rescorla <ekr@rtfm.com>
Cc: Vittorio Bertola <vittorio.bertola@open-xchange.com>, "ietf@ietf.org" <ietf@ietf.org>, "pearg@irtf.org" <pearg@irtf.org>, saag <saag@ietf.org>, "hrpc@irtf.org" <hrpc@irtf.org>
References: <HE1PR0701MB305098F652DBC34E3C40810B89F49@HE1PR0701MB3050.eurprd07.prod.outlook.com> <764163366.39904.1672842828297@appsuite-gw2.open-xchange.com> <CABcZeBNA_nJ2waQVENUvEXro91wAYOcH0ZxWqbLH4hoKcGkosw@mail.gmail.com> <9658281.42904.1672912808774@appsuite-gw2.open-xchange.com> <CA+9kkMBLiijcAyLYn_6h8z3N00EDaxdP=f7P2-qUt4Bn1iSWEg@mail.gmail.com> <HE1PR0701MB30505DC24A725E014D60FE0189FA9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <CABcZeBPc0r275AiCL=qWTnzFT9PoQ9WMHz+GcmQZG8pgv2dmbw@mail.gmail.com> <4EB76682-E75C-413B-906B-6C5C7404A91C@deployingradius.com>
In-Reply-To: <4EB76682-E75C-413B-906B-6C5C7404A91C@deployingradius.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/qNK7r8DUI81GNow6is1Ez6TzsTk>
Subject: Re: [Pearg] [saag] Ten years after Snowden (2013 - 2023), is IETF keeping its promises?
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2023 16:00:23 -0000
Hi Alan, Actually, NIST has no authority to mandate anything related to encryption protocols - which is why the SP title is "guidance." SPs are referenced by other agencies that have authority - primarily for procurement purposes. The SP is also U.S. based with nuanced language concerning "support." The implementation and use has also been modified by NSA PP-20-1302. See https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF All of this is for good policy reasons and industry security concerns that resulted in ETSI's development of the Middlebox Security Protocol standards suite, especially TS 103 523-3, "Middlebox Security Protocol; Part 3: Enterprise Transport Security," for TLS 1.3 implementations. See https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.03.01_60/ts_10352303v010301p.pdf NIST itself has undertaken a NCCoE initiative to deal with the related challenges. See https://www.nccoe.nist.gov/sites/default/files/legacy-files/tls-1.3-visibility-project-description-draft.pdf. ETSI has established the Encrypted Traffic Integration Industry Group. See https://portal.etsi.org/tb.aspx?tbid=888&SubTB=888#/ Finally, the European Union - which very much has regulatory authority - has published Resolution (EC) 13084/1/20, Council Resolution on Encryption - Security through encryption and security despite encryption, https://data.consilium.europa.eu/doc/document/ST-13084-2020-REV-1/en/pdf All of this may explain the lack of "boots on the ground" in the IETF. The boots have moved to other more pragmatic, real-world ground. :-) best, tony On 1/5/2023 10:18 AM, Alan DeKok wrote: > On Jan 5, 2023, at 8:58 AM, Eric Rescorla <ekr@rtfm.com> wrote: >> 3. Essentially none of these threats are the province of the IETF, >> which defines networking protocols. > The output of the IETF is networking protocols. The input of the IETF is "good will" effort from individuals and corporations. Corporations whose highest priority is to ship hardware which can run "Flappy Bird" at double the frame rate and resolution of the previous version. > > Witness the experience John and I had trying to update EAP for TLS 1.3. While NIST published a document in 2019 [1] mandating all government suppliers support TLS 1.3 by 2024, actual "boots on the ground" effort has been lacking. The afore-mentioned corporations shipping new hardware have been conspicuously absent in all relevant technical discussions. > > i.e. the security of literally billions of devices depended on John, and one highly opinionated Open Source person who isn't being paid to be here. > > We need to do better. > > The work in the IETF is often done by people who are senior enough to be allowed to be involved, or who are independent enough to care. In many organizations, people with operational and/or implementation experience are often too junior to be allowed to participate. This has been my experience in many WGs. > > I've been reading all of this discussion about protocols and legislation with a bit of amusement. I see all that as necessary, but it is not sufficient. My (and Johns) experience with EAP highlights this. If we hadn't chosen to do the work, there's a good chance that it either wouldn't have been done, or would have been done too late to meet legislated time frames. > > The IESG and the IAB should take a serious look at which protocols need updating. They should see which people are allowed to be involved in the IETF, and where in the company they sit. They should find ways to get more participation from people who have operational and implementation experience. > > Until that happens, the input of the IETF is insufficient "good will" to secure core protocols. The output of the IETF is window dressing. The foundation of the Internet is built on sand. > > Alan DeKok. > > [1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [Pearg] Ten years after Snowden (2013 - 2023), is… John Mattsson
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Christopher Wood
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Brian E Carpenter
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Phillip Hallam-Baker
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Christian Huitema
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Dave Taht
- Re: [Pearg] [hrpc] Ten years after Snowden (2013 … Adrian Gropper
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Stewart Bryant
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Eliot Lear
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Antoine FRESSANCOURT
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Lloyd W
- Re: [Pearg] [saag] Ten years after Snowden (2013 … George Michaelson
- Re: [Pearg] [hrpc] Ten years after Snowden (2013 … Niels ten Oever
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Vittorio Bertola
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Dave Taht
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… John Mattsson
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Stewart Bryant
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Eric Rescorla
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Christian Huitema
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Eliot Lear
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Brian E Carpenter
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Vittorio Bertola
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Ted Hardie
- Re: [Pearg] [saag] Ten years after Snowden (2013 … John Mattsson
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Kyle Rose
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Antoine FRESSANCOURT
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Eric Rescorla
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Alan DeKok
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [EXT] Re: [saag] Ten years after Snow… Vittorio Bertola
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Alan DeKok
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dave Taht
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [hrpc] Ten years after Snowden (2013 … Stephen Farrell
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Deen, Glenn (NBCUniversal)
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… bzs
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Laurence Lundblade
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Mark Nottingham
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Abdussalam Baryun
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Brad Chen
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Laurence Lundblade
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Adrian Gropper
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dino Farinacci
- Re: [Pearg] [saag] [hrpc] Ten years after Snowden… Tony Rutkowski
- [Pearg] times square 15 sec delay new years Dave Taht
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Dan Harkins
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Vittorio Bertola
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Alec Muffett
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Alec Muffett
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Mark Nottingham
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Vittorio Bertola
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Ted Lemon
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [hrpc] [saag] Ten years after Snowden… Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Tony Rutkowski
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Lloyd W
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Phillip Hallam-Baker
- Re: [Pearg] Ten years after Snowden (2013 - 2023)… Fernando Gont
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Fernando Gont
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Luigi Iannone
- Re: [Pearg] [saag] Ten years after Snowden (2013 … Christian Huitema