Re: [perpass] Commnets on draft-farrell-perpass-attack-00 was RE: perens-perpass-appropriate-response-01

[Mark Nottingham <mnot@mnot.net>]

Hi,

Can folks please stop cross-posting this to the HTTPbis WG? I'm sure we'll become aware of any relevant outcome of the discussion, and interested folks can join over on perpass.

Thanks,


On 5 Dec 2013, at 5:38 am, Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:

> Hi Lloyd,
> 
> On 12/04/2013 10:55 PM, l.wood@surrey.ac.uk wrote:
>> I see you ignore the DRM point.
> 
> I don't understand your DRM point to be honest. It also does not seem to
> be relevant to this conversation. DRM standards have not been been
> developed in the IETF either.
> 
> draft-farrell-perpass-attack-00 does not specific solutions (which it
> states in the document).
> 
> If your argument is that security adds complexity to protocols then
> that's certainly true. The other option would be not to have security in
> protocols at all to make them "more lightweight". Do you seriously think
> that this is useful option (even before the NSA revelations)?
> 
> If your argument is that security problems on the Internet should be
> solved via legal / regulatory ways then please go ahead an make these
> proposals. Obviously, the IETF would be the wrong forum to do that. I am
> sure the European Commission, for example, is interested to listen to
> your proposals and will immediately issue new proposals for regulation.
> It would be great if those you think that there are regulatory solutions
> would in fact then work on those rather than just having technically
> minded people who push problems around.
> 
> If your argument is aging cryptographic algorithms require software to
> be updated then let me tell you that software gets updated even for
> functionality reasons. Do you think that all the software updates you
> get for you smart phone apps are only security fixes? There are,
> however, many software updates that relate to security vulnerabilities.
> My approach would, however, be to incorporate software update mechanisms
> into products (which is what pretty everyone in the industry seems to be
> doing) instead. While this is largely a non-IETF issue it would still be
> interesting to hear whether you have other suggestions.
> 
> Your suggestions to do more interoperability testing sounds reasonable
> to me. I have been involved in interoperability tests myself (and even
> organized a few). Those tend to have a different focus, namely to
> provide feedback about whether the implementations interpreted the specs
> correctly. Penetration testing is what you would typically do to
> discover security vulnerabilities. We typically don't do those (at least
> not that I have heard). As such, I would rather seen them as a
> orthogonal effort (which many in the IETF are involved in already
> anyway). Are you suggesting that we should also do penetration testing?
> 
> Please also note that "security" is not a monolithic block, as you can
> see from RFC 3552. In various discussions with you I got the impression
> that you dislike security in general. That can hardly be true since I am
> sure you like some of the security features in there as well. For
> example, you might find authentication a pretty cool concept to avoid
> others accessing your email account.
> 
> Ciao
> Hannes
> 

--
Mark Nottingham   http://www.mnot.net/