[Cryptography] The role of the IETF in security of the Internet: for or against the NSA? for or against the security of users of the net?

[ianG]

On 16/03/2014 21:58 pm, Bill Frantz wrote:
> On 3/16/14 at 7:49 AM, iang at iang.org (ianG) wrote:
> 
>> This is where the IETF has played the NSA game.  Thanks to the IETF's WG
>> platform of bringing together industry players, the emphasis is on
>> protecting only *those who use the product*.  Which meant that anyone
>> not using the product was irrelevant.  According to IETF unwritten
>> policy, as enforced by industry players, everyone had to pay the price
>> of admission in order to be considered worthy of protection.
> 
> I'm not convinced this analysis is correct. One analysis I like takes
> from Machiavelli the thought that introducing new systems is hard,
> because the old systems have a lot of inertia, including the people who
> depend on them to make a living.


Absolutely -- I set myself an almost impossible hurdle.  But that's
aside from whether the analysis is correct or not.

> The only successful security model we have seen in wide deployment is
> the CA model. (SSH is not generally used outside small communities.)


Skype.  Let's ask ourselves what would have happened if Skype had gone
the WG ID path?

> Guess what? The CA model comes complete with a revenue model where a
> company can make a living.


As did Skype.  And, Skype protected everyone within its reach (until it
didn't, but arguably it is still protecting people better than CAs ever
did.)

(Of course, I understand that people need to eat.    I need to eat, and
my crypto is currently begging for revenue... this is fraught;  for an
example of an unfolding revenue model eating its own babies, check out
Bitcoin.  I suppose we could look at the Jabber community for a
contrast, and also the myriad of chat things that made money like Snapchat.)


> With companies making a living from the CA model, their employees have
> an incentive to join IETF standards efforts effecting the companies
> business. Perhaps the companies will even pay for them to attend IETF
> meetings, although one can participate in IETF standards without leaving
> home.

All granted.  This says it is a good game for the corporates -- which I
agree with.  Indeed this is my point:  the model serves the companies
and not the Internet.

> WIth many people on the committee committed to the model, of course it
> has strong support and appears in the resulting standard.


+1

> My conclusion is that for wide spread adoption, we need to have a way
> for companies to make money so they will push adoption.


I agree that in order to wean companies off the teat of the IETF WG
business model, and therefore reduce their impact on security according
to the NSA's game plan, we might need a way to incentivise them in
another direction.

It's an option, but I don't think it is the only one.  Copying their
model is literally the wrong thing to do.


> Doing this with
> a distributed trust system is a neat trick I don't know how to do.


Well, not as of the moment.  The innovation space is fantastically
alive, and has found many exciting models (check out Auroracoin for some
revenue & security excitement this coming week!).

However, first things first.  First we need both the understanding of
what's wrong with the old model.  Second, we need the will to find another.


>> The challenge then for IETF and browser players and all the industry is
>> not to bring the URLs into the protection of SSL, it's way too late for
>> that.  The challenge is how to reform their working practices such that
>> they serve the security of the Internet, rather than the NSA and its
>> insecurity mission.
> 
> What may be useful here is the YRUL <http://www.waterken.com/dev/YURL/>.
> It includes a hash of the server's public key so the client can know it
> is connecting to the correct server without using a third party.


YURLs are yet another innovation that got battered to ignorance on the
rocks of the IETF WG business groups (or their near cousin, the Mozilla
security process).  There are many such innovations.  The process is not
about innovation, and it is not about security.  As you correctly
pointed out, it is about the maintenance of a business franchise for a
group of corporates that have settled into a stable group.

I claim:  stable revenue is the wrong strategy for security.

(Tyler played a big part in unearthing the problem.  When he was pushing
his YURL design for his anti-phishing plugin, he was told that he had to
join the security group in order to be heard.  When he tried, he was
told it was invite only.  Doors closed, slam.  It took another 4 years
or so to find out why tho.)



iang