<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>On 7/20/2020 12:05 PM, Paul Wouters wrote:<br>
</p>
<blockquote type="cite"
cite="mid:alpine.LRH.2.23.451.2007201502270.149444@bofh.nohats.ca">On
Sun, 12 Jul 2020, Ben Laurie wrote:
<br>
<br>
<blockquote type="cite" style="color: #000000;">On Tue, 7 Jul 2020
at 05:15, Paul Wouters <a class="moz-txt-link-rfc2396E"
href="mailto:paul@cypherpunks.ca" moz-do-not-send="true"><paul@cypherpunks.ca></a>
wrote:
<br>
And if it makes you feel better, once I investigated the
history and
<br>
lack of justification of RFC 5114, which Steve Kent
admitted to having
<br>
just forwarded from NSA/BNN to IETF without explanation, I
pushed to
<br>
kill the whole thing. It's now dead.
<br>
<br>
Not noticeably: <a class="moz-txt-link-freetext"
href="https://tools.ietf.org/html/rfc5114"
moz-do-not-send="true">https://tools.ietf.org/html/rfc5114</a>
<br>
</blockquote>
<br>
What were you hoping to see there? A historic status? I'm afraid a
lot
<br>
more time would need to pass for the IESG to do that. But anyone
can ask
<br>
them to, you don't need to write an RFC for it.
<br>
<br>
Note, when I said "It is now dead", I meant for IKE/IPsec. I don't
think
<br>
TLS ever saw much use either, but I simply don't know if it is in
use
<br>
there or not.</blockquote>
<p><br>
</p>
<p>Paul, when you say "I don't think TLS ever saw much use either",
could you qualify the context for that lack of use? We get all
kinds of statistics showing that the majority of the web
connections are now using HTTPS, and that the TLS 1.3 version is
being deployed, e.g., <a class="moz-txt-link-freetext" href="https://ietf.org/blog/tls13-adoption/">https://ietf.org/blog/tls13-adoption/</a>.</p>
<p>This brings us to the questions about "what did we learn" and
"what would we do now"? Of course, we learned that the NSA and
others are spying on the Internet connections. We learned that the
end-to-end model of deployment worked well for TLS and HTTPS, and
also for SSH. We learned with the Let's Encrypt initiative that
automating X.509 certificate acquisition and renewal helped
deployment a lot. We also learned that there are two big issues
left unaddressed: the collection of metadata, and corporate
surveillance.</p>
<p>Many people have been working to limit the metadata available
outside of the encryption enveloped, but there are still hard
issues. For TLS, SNI Encryption is almost ready for
standardization, and that would be one big step. The work on DNS
encryption complements that. But there are still large gaps -- for
example, there seems to be no appetite to diminish metadata in
email messages, because it is used for controlling spam. The need
to control spam and malware is also used as an argument to resist
DNS encryption, and resist metadata removal in general. And then,
the IP addresses are also metadata, which only Tor seems to remove
so far.</p>
<p>On the other hand, focusing on this type of leaks feels a bit
like the quip about "speeding ticket at Indianapolis" in
"Apocalypse Now". The apocalypse is happening already, with the
generalized surveillance implemented by Google, Facebook and their
likes. What is the good of encrypting web connections if the other
end is going to conduct a web auction and broadcast the metadata
to all auctioneers? What is the point of focusing on little
details when companies continue being funded to acquire as much
metadata as possible and sell it? What is the point of limited
collection by government agencies when they can just turn around
and get the data from resellers, like the CBP just did by buying
databases of license plate surveillance?</p>
<p>-- Christian Huitema<br>
</p>
</body>
</html>