Re: [perpass] Getting started...

SM <sm@resistor.net> Sat, 17 August 2013 19:31 UTC

Return-Path: <sm@resistor.net>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD1611E8209 for <perpass@ietfa.amsl.com>; Sat, 17 Aug 2013 12:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.469
X-Spam-Level:
X-Spam-Status: No, score=-102.469 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLwFnMBDf88D for <perpass@ietfa.amsl.com>; Sat, 17 Aug 2013 12:31:48 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E67911E8186 for <perpass@ietf.org>; Sat, 17 Aug 2013 12:31:48 -0700 (PDT)
Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r7HJVW1r020879; Sat, 17 Aug 2013 12:31:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1376767897; bh=CY+iXIDc2IZAdOw6fLCbpwUYZV/KPVajg7kcugkizVA=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=LKp1l6K1nqHrCjWVH0sjPeJa2jQdwTs894DMmns7LVhLl8WLQZB2GM3cRLFJmhpg6 fvPZK5iB3i4F6NWvvch3SMFjyzZkBtgcqsA8R4UEEyB1IARndIfgvjK9mQsphITXa9 ZEUMvwN4kOBjDc8xQ0sj3d8z9zglbWkwkWbO4Jy8=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1376767897; i=@resistor.net; bh=CY+iXIDc2IZAdOw6fLCbpwUYZV/KPVajg7kcugkizVA=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=ed6DzxzbW/V97tieO01/zqDRHA2jWhrbr/dKAP2+9VeM4kRdsqq94VKRdusyiBqXc +DVUkGaSJ5Ud7cukmkECHsor7wR7c6Cfp5yb9e5HTwtGG0jO2Jb/Yawq5AOQqbf3N4 JyROPJvxhBgM8GAAoQ/cYirqW/6Lgk3BwBEHNzos=
Message-Id: <6.2.5.6.2.20130817115835.0b88a148@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Sat, 17 Aug 2013 12:30:12 -0700
To: Paul Wouters <paul@cypherpunks.ca>
From: SM <sm@resistor.net>
In-Reply-To: <alpine.LFD.2.10.1308171313400.10823@bofh.nohats.ca>
References: <520E5684.1090005@cs.tcd.ie> <6.2.5.6.2.20130816171144.0c01f738@resistor.net> <alpine.LFD.2.10.1308171313400.10823@bofh.nohats.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: perpass@ietf.org
Subject: Re: [perpass] Getting started...
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Aug 2013 19:31:49 -0000

Hi Paul,
At 10:20 17-08-2013, Paul Wouters wrote:
>I think we have learned since, that with things like session resumption,
>we can perhaps get both privacy and speed, although the session
>resumption in itself could also be an information leak.

Maybe the IETF could look at this from a "what have we learned" angle 
since then and how we can privacy together with the features we would 
like to have.  To say it different, if there is a trade-off between 
privacy and something else, do we sacrifice privacy in making that trade-off?

>Indeed. Many years ago when in The Netherlands, lawful interception
>became a reality for ISPs, and a tapping specification (TIIT) came into
>existence, ISPs were forced to install commercial "black boxes" that
>complied to the spec. I tried to get funding to make an open source
>implementation. I quickly found that no one wanted to be known for
>sponsoring an interception device. Everyone agrees an opensource box
>is better than a blackbox, but everyone was afraid of misinterpretation.

It's bad PR and that's the angle people value more.  The benefit of 
having an open source implementation is that anyone who wants to know 
what is being done can read the source code instead of relying on 
rumors which lead to fear and deception.

By the way, you might have tried to implement too early, i.e. people 
may not have understood the value of what you were trying to 
do.  It's also difficult to get funding for anything that isn't 
mainstream if you happen to be in the wrong country.

Regards,
-sm