Re: [Uta] How can we help app developers and operators FIND the UTA go-to security guides?

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 21 February 2014 10:18 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBE341A0090 for <uta@ietfa.amsl.com>; Fri, 21 Feb 2014 02:18:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgHDxmYilX00 for <uta@ietfa.amsl.com>; Fri, 21 Feb 2014 02:17:59 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id 45E211A0085 for <uta@ietf.org>; Fri, 21 Feb 2014 02:17:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1392977873; d=isode.com; s=selector; i=@isode.com; bh=Dym6rZmihmrK1iDkt7IVl/c8XMj9BE5moR6MQSNQtEI=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=kSa9VpXhZ8R/hwGnIisY+SNLNEchgoy1PNRV7/8P9691Zxt0gvzCDidt2OTJU1kFUGIdk2 yytMg0fsNYVg3YgLQLtx5b72GO3hbx1apB1kFd1GFWm4gsSohCcWJuyhTViqif43VTgiQl jYClzvXaFyuI6A8pn1eYT3Lunk3sqrE=;
Received: from [10.238.176.57] ((unknown) [85.255.232.219]) by waldorf.isode.com (submission channel) via TCP with ESMTPA id <UwcnzQAIPybv@waldorf.isode.com>; Fri, 21 Feb 2014 10:17:50 +0000
X-SMTP-Protocol-Errors: NORDNS
References: <CF294275.63067%york@isoc.org> <1d784b4ef87c4d869d2959a1e00960b5@BL2PR03MB290.namprd03.prod.outlook.com>
In-Reply-To: <1d784b4ef87c4d869d2959a1e00960b5@BL2PR03MB290.namprd03.prod.outlook.com>
Message-Id: <44DF52FC-37DF-4051-A735-F85ED1C2D0E5@isode.com>
X-Mailer: iPhone Mail (11B511)
From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Fri, 21 Feb 2014 10:27:10 +0000
To: "Orit Levin (LCA)" <oritl@microsoft.com>, Dan York <york@isoc.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary=Apple-Mail-D287C9FA-492B-4475-A91F-B72B0181351D
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/NSetFs2bAONJzFvaJQWK0zoIIlY
Cc: "uta@ietf.org" <uta@ietf.org>
Subject: Re: [Uta] How can we help app developers and operators FIND the UTA go-to security guides?
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 10:18:04 -0000

> On 21 Feb 2014, at 00:37, "Orit Levin (LCA)" <oritl@microsoft.com>; wrote:
> 
> Dan,
> I do think that it would be helpful to include UTA in "Deploy360" to help spread the word and bring additional knowledgeable parties to the table.

Sounds like a good idea to me.

> What do people think? Your feedback and suggestions will be helpful.
>  
> Thanks,
> Orit.
>  
>  
> From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Dan York
> Sent: Tuesday, February 18, 2014 2:02 PM
> To: uta@ietf.org
> Subject: [Uta] How can we help app developers and operators FIND the UTA go-to security guides?
>  
>  
> On 2/10/14 3:49 AM, "Orit Levin (LCA)" <oritl@microsoft.com>; wrote:
>  
> > UTA deliverables are intended to serve as the go-to security guides for applications' 
> > developers and providers/operators. Navigating through numerous IETF RFCs (and drafts) 
> > in order to implement a specific protocol or deploy a service can be a very challenging task. 
>  
> I think this is a key point and one reason I'm personally so pleased to see this UTA working group created.  We definitely need to make it easier for application developers to understand how they can best implement TLS in their applications - and for network operators to best allow customers to use TLS-encrypted apps while still meeting their own operational and security needs.
>  
> While the focus of the UTA group and list right NOW needs to be on *creating* these "go-to security guides", I'd like to suggest that there's a second stage that needs to be thought about later in the process... and perhaps it is something that a few of us who are not directly involved in writing the documents can start thinking about now.  This second stage is to answer these questions:
>  
> 1. How will application developers find these "go-to security guides"?  How will they learn that we've created them?
> 2. How will network operators / ISPs find these "go-to security guides" that help them understand how they can best work with TLS-encrypted application traffic?
>  
> The basic question is - if we write these docs and publish them as RFCs (or BCPs), how can we help people know that these documents are out there to help them?
>  
> There's a second aspect, too - how will they know we are in the process of *writing* these documents and that we are seeking feedback?
>  
> In thinking about some of the application developers I know, I don't think many of them have a particular connection to the IETF and wouldn't necessarily think of RFCs as a source for documentation like this.  Similarly, I think many network operators (particularly smaller ones) don't have a strong connection to the IETF - or if they do, it may be more with some of the networking parts of the IETF versus something in the applications area.
>  
> I know that within the IETF we generally have a vehement allergic reaction to anything that remotely smells of (cough)(cough)"marketing"(cough)(cough) ... but if our end goal is to make activity over the Internet more secure through the widespread use of TLS, I think we *do* need to think about how we promote the fact that we (IETF) will have these "go-to security guides" available.
>  
> What do others think?   Are there people on the list now interested in talking a bit more about this?  Either on the list or sometime in London? (Perhaps outside of the main UTA meeting so as not to distract from a focus on getting the documents done?)
>  
> I have one way that I can personally help with this second stage of work.  The team I work on within the Internet Society operates the Deploy360 website ( http://www.internetsociety.org/deploy360/ ) and our task is to find, create and publicize materials to help accelerate the deployment of Internet technologies like IPv6 and DNSSEC.  Most recently we opened up a topic area on "Securing BGP" to help promote best practices and technologies that make BGP more secure.  Our focus is on finding (or creating if we can't find) high-quality materials with real-world deployment info and then sharing that out through social media, specialized conferences, speaking at events, online interaction, etc.
>  
> In talking about how we could help with this work here, it occurred to us that we could open up a new topic on the Deploy360 site about "TLS in Applications" and help promote the work this group is doing and do what we can to encourage developers and network operators to read the current drafts, provide feedback and get engaged with the process.  As the UTA documents get published we can then help promote the documents.  We can also promote other documents, tutorials, videos, etc. that people have created that would complement the guidance being written in these documents... and work with anyone interested from the list to make all this happen.
>  
> Some of you know of our work... does this seem like a reasonable way we (Deploy360) could help?   
>  
> If so I'm glad to help in that way... but I'd also note that anything we can do on Deploy360 is just a part of what I see as the broader need to help people find these documents.  Our efforts will help, but there needs to be more done by more people than just us.
>  
> Thoughts? Comments?  Feedback?   (Including telling me why I'm wrong about any or all of this...)
>  
> Thanks,
> Dan
>  
> --
> Dan York
> Senior Content Strategist, Internet Society
> york@isoc.org <mailto:york@isoc.org>   +1-802-735-1624
> Jabber: york@jabber.isoc.org <mailto:york@jabber.isoc.org>
> Skype: danyork   http://twitter.com/danyork
>  
> http://www.internetsociety.org/deploy360/ 
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta