W3C home > Mailing lists > Public > ietf-discuss@w3.org > July 1999

Re: IAB draft on security

From: Jacob Palme <jpalme@dsv.su.se>
Date: Mon, 26 Jul 1999 11:01:42 +0200
Message-Id: <v04210106b3c1d31e6300@[130.237.150.138]>
To: discuss@apps.ietf.org
Cc: smb@research.att.com
At 20.44 -0700 99-07-21, Paul Hoffman / IMC wrote:
>This list might be interested in draft-iab-secmech-01.txt. It 
>describes the applicability of various IETF security mechanisms to 
>various situations, including applications. Steve Bellovin says he 
>hasn't gotten much comment on it and wants to go to last call soon, 
>so you should review it soon and let him know if you have any 
>changes or desired additions.

The document, like many other security documents, tells too much 
about what will not work, too little on what will work. It seems as 
if security experts are better at telling you that something is 
dangerous or might not be secure, than telling you how to get 
security. I would prefer to get more practical advice with
recommendations on how to get the security you want.

This may be a reason why security techniques have so much trouble 
getting accepted and used.

I was interested to note the warnings against MD5, since MD5 is so 
popular. But why not tell us what we should use instead of MD5, 
instead of just saying that MD5 has security risks.

There was no mention of the export restriction problem with
encryption tools. Is this not a major problem? How can you
resolve it?
------------------------------------------------------------------------
Jacob Palme <jpalme@dsv.su.se> (Stockholm University and KTH)
for more info see URL: http://www.dsv.su.se/~jpalme
Received on Monday, 26 July 1999 05:07:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:26 GMT