[Cryptography] FW: IAB Statement on Internet Confidentiality

alex at alten.org alex at alten.org
Sun Nov 16 23:54:11 EST 2014 

Hmm...the Reddit posting has had no responses.

On a more serious note, the IAB statement below opens up a whole can of worms.

1. The vast bulk of the Internet protocols now and in the future  
already exist. How are we going to retrofit them or somehow deal with  
them?  New secure protocols will be a tiny percentage of the installed  
base of insecure protocols.

2. You can't just encrypt/authenticate without dealing with key  
management, which adds more complexity and state to a protocol and  
supporting software. Is the IETF going to design a one-size fits all  
key management protocol?

3. You can't just add key management without dealing with policy  
adjudication. And you can't adjudicate without a (globally) scalable  
way to deal with the identity of humans and programs.  How do we  
represent and store policy attributes and rules? Is this beyond the  
purview of the IAB? If so, whom does the IAB coordinate with?

4. You can't encrypt without dealing with legal issues, like  
supporting judicial warrants for "wire taps". We cannot ignore most  
(democratic?) societies' need to investigate crime. (I expect to get  
heated flame mail over this point.)

5. You can't successfully secure your comm links if your nodes are  
insecure.  At the very least we will need to have operating systems  
that support something like a Biba integrity model for processes.  And  
to do this we need some sort of Reference Monitor inside each OS.  How  
can we do this without hardware support?  And how do we get all the OS  
vendors to agree to secure their OS's in manner that supports these  
new (and retrofitted) protocols keying and policy needs?

- Alex


Quoting ianG <iang at iang.org>:

> For what it is worth, I twittered the below statement last night,  
> and it got 2 orders of magnitude more response than anything I've  
> ever said.  I conclude that the IAB's statement has struck a public  
> nerve; there is clear approval in the public's mind.
>
> iang
>
> ps; I submit that this is a sensible top-post ;)
>
>
> On 14/11/2014 13:46 pm, Salz, Rich wrote:
>>
>> -----Original Message-----
>> From: IAB Chair [mailto:iab-chair at iab.org]
>> Sent: Friday, November 14, 2014 4:26 AM
>> To: IETF Announce
>> Cc: IAB; IETF
>> Subject: IAB Statement on Internet Confidentiality
>>
>> Please find this statement issued by the IAB today.
>>
>> On behalf of the IAB,
>>   Russ Housley
>>   IAB Chair
>>
>> = = = = = = = = = = = = =
>>
>> IAB Statement on Internet Confidentiality
>>

-- 
Alex Alten
alex at alten.org

More information about the cryptography mailing list