Re: [perpass] Fwd: Re: perens-perpass-appropriate-response-01

Stephen Farrell <> Sun, 08 December 2013 20:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2F5F31AE0E2 for <>; Sun, 8 Dec 2013 12:50:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UdA1Z2R6dnz3 for <>; Sun, 8 Dec 2013 12:50:09 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 986271AE0E1 for <>; Sun, 8 Dec 2013 12:50:09 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 83E17BE5B; Sun, 8 Dec 2013 20:50:04 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XFVAkLH2Q9X7; Sun, 8 Dec 2013 20:50:03 +0000 (GMT)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 5A537BE59; Sun, 8 Dec 2013 20:50:03 +0000 (GMT)
Message-ID: <>
Date: Sun, 08 Dec 2013 20:49:53 +0000
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Nicholas Weaver <>
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: perpass <>
Subject: Re: [perpass] Fwd: Re: perens-perpass-appropriate-response-01
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 08 Dec 2013 20:50:11 -0000

Hash: SHA1

On 12/08/2013 03:55 PM, Nicholas Weaver wrote:
> On Dec 7, 2013, at 4:09 PM, Bruce Perens <> wrote:
>> Well, we do have some HTTP uses where encryption that hides the 
>> content won't be allowed, and thus authentication is important.
>> We can't have encryption when we use HTTP over Amateur Radio in
>> the US and many other countries. There is self-policing on ham 
>> frequencies that requires that people be able to copy other 
>> people's transmissions, and encryption defeats that. Obviously
>> we don't put confidential data on those frequencies, that belongs
>> on your cell phone. So, an authentication-only WiFi protocol is
>> needed for Amateur Radio, and possibly an authentication-only
>> version of TLS.
> NO!!!!
> The reason is downgrade attacks.  A huge problem with the IPSec 
> standard is that NULL encryption was allowed in there, and also
> known weak modes (single DES, 720b D/H etc).  Its one of the
> primary reasons why John Gilmore and therefore others feel the
> IPSec process was sabotaged by the NSA.

Really? That makes no sense to me. I've never heard any report of a
use of IPsec that "accidentally" used a NULL or weak cipher. Have
you? And Jeff Schiller I think convincingly repudiated claims that
either the development process for IPsec or the output were
saobtaged in any such way.

I wasn't much involved myself but my impression was that we (the
IETF security community) shot ourselves in the foot a bit via
complexity and various refusals to prioritise progress and
deployment over purity.

We need to carefully balance security and pragmatism here IMO if
our goal is to make for a more secure and privacy friendly Internet.

I also think that throwing "sabotage" into the mix damages that
discussion so should be avoided.

Version: GnuPG v1.4.14 (GNU/Linux)