Re: [perpass] politics and the ietf

[Stephen Kent <kent@bbn.com>]

Harry,

> ...
>
> In the "early days" of the Internet, to my knowlege, the Internet was 
> more of a research project amongst co-operative researchers at places 
> like MIT, SRI, and CERN with the Web so security and privacy concerns 
> were minimal at best. I'm not sure what else can explain early RFCs :) 
> Obviously this has changed, and now folks have to retro-fit these 
> security on top the system.
As one who has been actively involved since "the early days" I have to 
disagree with your characterization. Internet R&D was funded primarily 
by the U.S. DoD, and thuis security was a consideration. Moreover, the 
sort of passive and active wiretapping attacks that we're discussing, 
ones that can be carried out by nation states, were a concern. The
technical approach to dealing with such attacks was to employ 
encryption, on an end-to-end basis, for realtime communication. Sound 
familiar?

BBN built a basic e-t-e encryption device (the PLI) in the mid-1970's, 
for use in the ARPANET. Later in the 70's we worked with ARPA (now 
DARPA) to develop a more sophisticated system, one that worked with 
TCP/IP, provided per-connection security associations, and which used a 
KDC. (This was a few years before the MIT Kerberos project began and 
long before public key crypto was considered practical.)

All of this was well before development of the Web, even before DNS, in 
a simpler
environment. My point is that technology was developed to provide protection
against passive and active wiretapping of Internet protocols. It was not 
developed for
the software implementations that we see in OSes, because the DoD 
understood the vulnerabilities that arise in a software-based 
implementation. The solutions focused on external, hardware crypto, 
inline between a computer (or a gateway) and the Internet. That made the 
solutions developed for the DoD environment unattractive for typical 
commercial, much less, residential users.

Steve