[Cryptography] IPsec DH parameters, other flaws

[Alfie John]

On 19 Jul 2020, at 14:55, Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> 
> There are a few individuals who seemed to be always there to pour poison in people's ears and to encourage them to 'stand their ground' when insisting on some asinine security requirement that makes the whole thing undeployable.

All these war stories are great to finally be open and to a larger audience. Thanks everyone for adding their nuggets!

So it's 2020 and we now know that there's a concerted effort to actively sabotage standards and implementations by many actors (including large budgets to sway people at all levels). Considering a clean slate for the whole stack - from TCP, IP, BGP, DNS, HTTP, etc and all the way to certificate infrastructure, application layer authentication, key management etc:

  - how would you design the state of the art with security as one of its primary goals (i.e features and anti-features)
  - how would you manage the coordination differently (given the current way is prone to sabotage)

... and could these better systems be easily retrofitted on top of the current Internet (e.g Tor vs HTTP, WireGuard vs IPSec)?

Alfie

--
Alfie John
https://www.alfie.wtf