W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Commnets on draft-farrell-perpass-attack-00 was RE: perens-perpass-appropriate-response-01

From: Josh Howlett <Josh.Howlett@ja.net>
Date: Thu, 5 Dec 2013 10:53:12 +0000
To: Ted Lemon <ted.lemon@nominum.com>, "<l.wood@surrey.ac.uk>" <l.wood@surrey.ac.uk>
CC: perpass <perpass@ietf.org>, "bruce@perens.com" <bruce@perens.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, IETF Discussion <ietf@ietf.org>
Message-ID: <CEC5F4B3.1282E%Josh.Howlett@ja.net>
>>
>>This is a political problem, not a technical problem. From a technical
>>perspective, caching static content matters.  Trying to figure out
>>problems that aren't security problems matters. Mandating secure
>>communications for worldwide http is pretty much the same as mandating
>>secure encrypted email worldwide - large failure modes, resulting in an
>>inability to communicate. Which is why use of secure email is not
>>widespread.
>
>I take it you haven't been reading the responses to Bruce's essay, or you
>would have seen that these points have already been discussed and refuted.

Without naming specific territories, pervasive monitoring of the kind that
has motivated this discussion has been imposed on a very large part of the
world's Internet-connected population for many years, in full knowledge of
the technical community (and, indeed, the educated layman); and allegedly
assisted by some of the well-known vendors represented here.

All that has happened is that the technical community, who are largely
based in other world regions, has just discovered that it, too, has been
subject to this pervasive monitoring. It is the indignation and affront
arising from the sudden closure of the gap between expectation and reality
that is driving this, not any novel specific technical threat or
vulnerability.

It is worth reflecting on what the reaction of the IAB/IESG might have
been if these revelations had surfaced shortly before IETF 79, rather than
around the bastions of liberalism in Berlin and Vancouver. Probably
somewhat different.

And let's not forget that many within the industry will have been aware of
the generalities of the monitoring before the disclosures, even if they
weren't familiar with the operational detail.

This is, therefore, most assuredly a political problem. But that is not an
argument not to increase security.

I fully support action to increase security, where it responds to the
prevailing threat environment. But it will be a perpetuation of the
naivety that has characterised this debate to think that this alone will
halt pervasive monitoring, because the threat is not technical in nature.
The technical response must be coordinated with a political response, or
else the perpetrators will find political means to route around the
technical measures.

The political response shouldn't be organised within the IETF, but it does
need to liaise with those responsible for doing that. Unfortunately I am
not observing any movement by any of the other parties within our
wonderful multi-stakeholder system that you would think would be
notionally responsible for this. My fear is that they are opting to drink
the technology Kool-Aid, to avoid grasping the political nettle. That is
what should be concerning us right now.

Josh.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Received on Thursday, 5 December 2013 10:53:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC