[Cryptography] The role of the IETF in security of the Internet: for or against the NSA? for or against the security of users of the net?
frantz at pwpconsult.com
Sun Mar 16 17:58:23 EDT 2014
On 3/16/14 at 7:49 AM, iang at iang.org (ianG) wrote:
>This is where the IETF has played the NSA game. Thanks to the IETF's WG
>platform of bringing together industry players, the emphasis is on
>protecting only *those who use the product*. Which meant that anyone
>not using the product was irrelevant. According to IETF unwritten
>policy, as enforced by industry players, everyone had to pay the price
>of admission in order to be considered worthy of protection.
I'm not convinced this analysis is correct. One analysis I like
takes from Machiavelli the thought that introducing new systems
is hard, because the old systems have a lot of inertia,
including the people who depend on them to make a living.
The only successful security model we have seen in wide
deployment is the CA model. (SSH is not generally used outside
small communities.) Guess what? The CA model comes complete with
a revenue model where a company can make a living.
With companies making a living from the CA model, their
employees have an incentive to join IETF standards efforts
effecting the companies business. Perhaps the companies will
even pay for them to attend IETF meetings, although one can
participate in IETF standards without leaving home.
WIth many people on the committee committed to the model, of
course it has strong support and appears in the resulting standard.
My conclusion is that for wide spread adoption, we need to have
a way for companies to make money so they will push adoption.
Doing this with a distributed trust system is a neat trick I
don't know how to do.
>The challenge then for IETF and browser players and all the industry is
>not to bring the URLs into the protection of SSL, it's way too late for
>that. The challenge is how to reform their working practices such that
>they serve the security of the Internet, rather than the NSA and its
What may be useful here is the YRUL
<http://www.waterken.com/dev/YURL/>. It includes a hash of the
server's public key so the client can know it is connecting to
the correct server without using a third party.
Cheers - BIll
Bill Frantz | Re: Computer reliability, performance, and security:
408-356-8506 | The guy who *is* wearing a parachute is
www.pwpconsult.com | first to reach the ground. - Terence Kelly
More information about the cryptography