Re: [saag] keys under doormats: is our doormat ok?

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Hiya,

On 13/07/15 17:20, Eliot Lear wrote:
> Hi Stephen,
> 
> On 7/13/15 3:28 PM, Stephen Farrell wrote:
>> Hiya,
>>
>> On 12/07/15 23:28, Dave Crocker wrote:
>>> I will also suggest that we ought to have the IETF review of the draft
>>> RFC for this include a segment at an IETF plenary. 
>> Just as a point of information for those who're considering there
>> may be external-to-the-IETF benefits in some form of renewal of
>> the relevant content from RFC 1984...
>>
>> One reason I figured RFC 1984 is still ok is that the IAB have quite
>> recently weighed in with an even stronger recommendation "that
>> encryption be deployed throughout the protocol stack." [1] And while
>> that's an IAB statement and hasn't been through the IETF consensus
>> process, and while that doesn't directly touch on mandated-key-escrow-
>> silliness, it does refer back to RFC 1984, as well as going further.
> 
> The reference to 1984 is in the IAB statement to demonstrate the
> continuum of time that the IAB and IESG have considered this issue.  
> There are some aspects of 1984 that could evolve.  Particularly the
> rationale in the section entitled "PROTECTION OF THE EXISTING
> INFRASTRUCTURE".  Encryption is required for there to be confidence in
> the infrastructure.
> 

True, however, it's also true that the lack of mandatory key escrow
is also an inherent part of 1984 and my assumption at least is that
the IAB think the same and were cognizant of that in their statement.

> 
>>
>> So I reckon that from a non-IETF perspective, [1] probably achieves
>> as much as we'd achieve with any easy method of "renewing" RFC 1984.
>> (I'm also not sure what "renewing" 1984 might mean exactly but I'm
>> sure we could figure some mechanics that'd work and if it turns out
>> I'm wrong above and folks do want some such thing, I'll of course
>> try help get that done.)
> 
> I think Christian used the term "reaffirming".  Before we do that, we
> people should really read through 1984 with a 2015 perspective.  The
> document has held together well, even with a few issues.  

Tend to agree. It's also addressing export of course but were any
of the recently mooted government silliness to become real, it'd
also have to involve controls on export/import as well as on usage
so that part of the analysis is actually still relevant I figure.
(There'd be an even bigger and even sillier impact on open source
the importance of which is nowadays probably better appreciated.)

> But to
> reaffirm would be to say that the 1996 world view is still applicable. 
> I don't think it is.  I think we'd make a different statement today. 
> Maybe this is what you mean by "renew".

TBH, I'm not sure what's meant by renew or re-affirming or anything
similar. So far, I think the suggestions made include an in-place
promotion to BCP, which I understand, or to do an update, meaning a
new RFC with revised content, which I also understand, and which
could aim for minimal or broader change. I don't get what or how
any other option might work out. Anyway, if we end up with consensus
to do something then I'm sure we can figure out the mechanics then.

S.


> 
> Eliot
> 
>