W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: [perpass] Commnets on draft-farrell-perpass-attack-00 was RE: perens-perpass-appropriate-response-01

From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Date: Wed, 04 Dec 2013 18:38:08 +0000
Message-ID: <529F7690.2050302@gmx.net>
To: l.wood@surrey.ac.uk, ted.lemon@nominum.com
CC: perpass@ietf.org, bruce@perens.com, ietf-http-wg@w3.org, ietf@ietf.org
Hi Lloyd,

On 12/04/2013 10:55 PM, l.wood@surrey.ac.uk wrote:
> I see you ignore the DRM point.

I don't understand your DRM point to be honest. It also does not seem to
be relevant to this conversation. DRM standards have not been been
developed in the IETF either.

draft-farrell-perpass-attack-00 does not specific solutions (which it
states in the document).

If your argument is that security adds complexity to protocols then
that's certainly true. The other option would be not to have security in
protocols at all to make them "more lightweight". Do you seriously think
that this is useful option (even before the NSA revelations)?

If your argument is that security problems on the Internet should be
solved via legal / regulatory ways then please go ahead an make these
proposals. Obviously, the IETF would be the wrong forum to do that. I am
sure the European Commission, for example, is interested to listen to
your proposals and will immediately issue new proposals for regulation.
It would be great if those you think that there are regulatory solutions
would in fact then work on those rather than just having technically
minded people who push problems around.

If your argument is aging cryptographic algorithms require software to
be updated then let me tell you that software gets updated even for
functionality reasons. Do you think that all the software updates you
get for you smart phone apps are only security fixes? There are,
however, many software updates that relate to security vulnerabilities.
My approach would, however, be to incorporate software update mechanisms
into products (which is what pretty everyone in the industry seems to be
doing) instead. While this is largely a non-IETF issue it would still be
interesting to hear whether you have other suggestions.

Your suggestions to do more interoperability testing sounds reasonable
to me. I have been involved in interoperability tests myself (and even
organized a few). Those tend to have a different focus, namely to
provide feedback about whether the implementations interpreted the specs
correctly. Penetration testing is what you would typically do to
discover security vulnerabilities. We typically don't do those (at least
not that I have heard). As such, I would rather seen them as a
orthogonal effort (which many in the IETF are involved in already
anyway). Are you suggesting that we should also do penetration testing?

Please also note that "security" is not a monolithic block, as you can
see from RFC 3552. In various discussions with you I got the impression
that you dislike security in general. That can hardly be true since I am
sure you like some of the security features in there as well. For
example, you might find authentication a pretty cool concept to avoid
others accessing your email account.

Ciao
Hannes
Received on Wednesday, 4 December 2013 23:32:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC