W3C home > Mailing lists > Public > ietf-discuss@w3.org > July 1999

Re: IAB draft on security

From: Steven M. Bellovin <smb@research.att.com>
Date: Mon, 26 Jul 1999 08:47:48 -0400
To: Jacob Palme <jpalme@dsv.su.se>
Cc: discuss@apps.ietf.org
Message-Id: <19990726124757.7B5F541F16@SIGABA.research.att.com>
In message <v04210106b3c1d31e6300@[130.237.150.138]>, Jacob Palme writes:
> At 20.44 -0700 99-07-21, Paul Hoffman / IMC wrote:
> >This list might be interested in draft-iab-secmech-01.txt. It 
> >describes the applicability of various IETF security mechanisms to 
> >various situations, including applications. Steve Bellovin says he 
> >hasn't gotten much comment on it and wants to go to last call soon, 
> >so you should review it soon and let him know if you have any 
> >changes or desired additions.
> 
> The document, like many other security documents, tells too much 
> about what will not work, too little on what will work. It seems as 
> if security experts are better at telling you that something is 
> dangerous or might not be secure, than telling you how to get 
> security. I would prefer to get more practical advice with
> recommendations on how to get the security you want.

Hmm -- I thought that it was doing that; its whole purpose was to provide
a list of techniques that could be used in specific niches.  I'll reread it
from that perspective.
> 
> This may be a reason why security techniques have so much trouble 
> getting accepted and used.
> 
> I was interested to note the warnings against MD5, since MD5 is so 
> popular. But why not tell us what we should use instead of MD5, 
instead of just saying that MD5 has security risks.

Will fix.
> 
> There was no mention of the export restriction problem with
> encryption tools. Is this not a major problem? How can you
> resolve it?

The IETF decided long ago that this was (mostly) a US problem, and that we
wouldn't let our standards be crippled to accomodate it.
Received on Monday, 26 July 1999 08:48:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:26 GMT