- From: Adrien W. de Croy <adrien@qbik.com>
- Date: Tue, 03 Apr 2012 02:34:55 +0000
- To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
- Cc: "Robert Collins" <robertc@squid-cache.org>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
------ Original Message ------ From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> >On 04/03/2012 02:55 AM, Adrien W. de Croy wrote: >> >>------ Original Message ------ >>From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> >>> >>> >>>On 04/03/2012 12:22 AM, Robert Collins wrote: >>>>This seems rather timely: >>>>http://www.telegraph.co.uk/technology/news/9179087/Internet-activity-to-be-monitored-under-new-laws.html >>>> >>>> >>> >>>And not timely but relevant: >>>http://tools.ietf.org/html/rfc2804 >> >> >>OK, thanks for pointing that out. >> >>We are at a slightly different juncture than we were in 2000. > >Sure. > >> >>It seems to me, the issue of mandatory SSL is far from put to rest. >> >>In relation to RFC2804, it's one thing to take a position of not >>taking >>a position, which is fine and completely reasonable. >> >>It's another to promote a protocol that explicitly goes against the >>wishes of governments, and therefore creates problems for >>implementors, >>potentially criminalises users and implementors. Thats doesn't equate >>to >>not taking a position. > >I think you're missing some context. In ~1999 the US government >exerted >serious pressure to get the IETF to add a law enforcement field to >protocols that'd allow for key escrow. > >After an extended debate involving many, many IETF folks, we said no. >That was explicitly going against the government of the country from >which most IETF participants originate. > >IMO this doesn't speak to whether or not to mandate use of TLS, but >rather is only really relevant to the MITM-like features discussed >recently here, and maybe only when considering government actions. OK. At the end of the day, governments have other options. They can pass laws, and prosecute software vendors and users. They can develop their own protocols which comply with their laws. they don't need the IETF to condone them. I hate to think what a really hard-line regime would do. They could push the line pretty hard. I'm not saying this as a justification for wiretapping. In fact I'm not really interested in the wiretapping issue so much. I agree with the reasons for not allowing it, especially where the conclusion (IMO rightly) is reached that it actually reduces security for all. I also believe however that mandatory crypto would reduce its effectiveness for all, due to the IMO inevitable problems that would come with deploying it on such a massive scale, so we may end up with reduced security in the places we currently really need it. Adrien > >S > >> >>Even if we put wiretapping issues aside, there are plenty of other >>reasons why it's IMO unfeasible to make SSL/TLS mandatory, and these >>relate mainly to administrative, security, and infrastructural >>issues. >>We simply are not at a place where deployment of SSL certificates >>beyond >>the realms of technically proficient operators is feasible to >>support. >> >>We don't have a viable deployable alternative to certificates. >>Shared-secret is not viable for the web at large. >> >>We are also not at a place where we've solved the issues relating to >>certificate verification. OCSP servers are a highly central point of >>failure (with enormous consequences) and go down. >>We didn't even touch on deployability of TLS/SSL into tiny >>footprints, >>or the non-zero costs in terms of latency and CPU / RAM at various >>points in the network. >>Arguments about users right for privacy are political arguments, and >>fall afoul of RFC 2804 on the other side. >> >>Corporates also have a right and an increasing requirement to know >>what >>their resources are being used for. This requirement is getting >>stronger >>not weaker, as countries around the world roll out laws around >>internet >>copyright abuse. For instance in NZ, there's a 3 strike system now, >>with >>large fines etc. Companies need to be able to protect themselves from >>liability for their users' actions. >> >>I don't really have much more on the topic of mandatory-to-use SSL. >>In >>the end, if that's where the specs go, we are just escalating the >>arms >>race, which simply incurs cost on the users of these protocols, for >>which history may not thank us. We'll just have all the pain of >>everyone >>having to deploy SSL, and we'll get MITM as well. >>Cheers >>Adrien >> >> >>> >>>S >>>>-Rob >>>> >>> >> >> >> >
Received on Tuesday, 3 April 2012 02:35:22 UTC