- From: Steven M. Bellovin <smb@research.att.com>
- Date: Mon, 26 Jul 1999 08:47:48 -0400
- To: Jacob Palme <jpalme@dsv.su.se>
- Cc: discuss@apps.ietf.org
In message <v04210106b3c1d31e6300@[130.237.150.138]>, Jacob Palme writes: > At 20.44 -0700 99-07-21, Paul Hoffman / IMC wrote: > >This list might be interested in draft-iab-secmech-01.txt. It > >describes the applicability of various IETF security mechanisms to > >various situations, including applications. Steve Bellovin says he > >hasn't gotten much comment on it and wants to go to last call soon, > >so you should review it soon and let him know if you have any > >changes or desired additions. > > The document, like many other security documents, tells too much > about what will not work, too little on what will work. It seems as > if security experts are better at telling you that something is > dangerous or might not be secure, than telling you how to get > security. I would prefer to get more practical advice with > recommendations on how to get the security you want. Hmm -- I thought that it was doing that; its whole purpose was to provide a list of techniques that could be used in specific niches. I'll reread it from that perspective. > > This may be a reason why security techniques have so much trouble > getting accepted and used. > > I was interested to note the warnings against MD5, since MD5 is so > popular. But why not tell us what we should use instead of MD5, instead of just saying that MD5 has security risks. Will fix. > > There was no mention of the export restriction problem with > encryption tools. Is this not a major problem? How can you > resolve it? The IETF decided long ago that this was (mostly) a US problem, and that we wouldn't let our standards be crippled to accomodate it.
Received on Monday, 26 July 1999 08:48:42 UTC