[Cryptography] The role of the IETF in security of the Internet: for or against the NSA? for or against the security of users of the net?

Bill Frantz frantz at pwpconsult.com
Sun Mar 16 17:58:23 EDT 2014

On 3/16/14 at 7:49 AM, iang at iang.org (ianG) wrote:

>This is where the IETF has played the NSA game.  Thanks to the IETF's WG
>platform of bringing together industry players, the emphasis is on
>protecting only *those who use the product*.  Which meant that anyone
>not using the product was irrelevant.  According to IETF unwritten
>policy, as enforced by industry players, everyone had to pay the price
>of admission in order to be considered worthy of protection.

I'm not convinced this analysis is correct. One analysis I like 
takes from Machiavelli the thought that introducing new systems 
is hard, because the old systems have a lot of inertia, 
including the people who depend on them to make a living.

The only successful security model we have seen in wide 
deployment is the CA model. (SSH is not generally used outside 
small communities.) Guess what? The CA model comes complete with 
a revenue model where a company can make a living.

With companies making a living from the CA model, their 
employees have an incentive to join IETF standards efforts 
effecting the companies business. Perhaps the companies will 
even pay for them to attend IETF meetings, although one can 
participate in IETF standards without leaving home.

WIth many people on the committee committed to the model, of 
course it has strong support and appears in the resulting standard.

My conclusion is that for wide spread adoption, we need to have 
a way for companies to make money so they will push adoption. 
Doing this with a distributed trust system is a neat trick I 
don't know how to do.

>The challenge then for IETF and browser players and all the industry is
>not to bring the URLs into the protection of SSL, it's way too late for
>that.  The challenge is how to reform their working practices such that
>they serve the security of the Internet, rather than the NSA and its
>insecurity mission.

What may be useful here is the YRUL 
<http://www.waterken.com/dev/YURL/>. It includes a hash of the 
server's public key so the client can know it is connecting to 
the correct server without using a third party.

Cheers - BIll

Bill Frantz        | Re: Computer reliability, performance, and security:
408-356-8506       | The guy who *is* wearing a parachute is 
*not* the
www.pwpconsult.com | first to reach the ground.  - Terence Kelly

More information about the cryptography mailing list