On 7/10/2017 3:38 PM, Stephen Farrell wrote:
On 10/07/17 17:42, Colm MacCárthaigh wrote:
It's clear that there is a strong distaste here for the kind of MITM being
talked about
It is not (only) "distaste," it is IETF policy as a result of
a significant debate on wiretapping.
It is a policy some 17 years ago promulgated with respect to some very
specific layer 9 threats and was pretty black and white. In 17 years
we've gone from workstation class systems homed to application class
servers to smart phones and the cloud. The SNI RFC was still three
years out and strangely all the privacy stuff we're worried about now
wasn't even part of the security considerations. TOR was still a DOD
project. Basically, 2804 is woefully out of date with respect to the
current state of the world.
What this discussion has shown me is that we probably a) need to take
another look at 2804 with a view to updating it with respect to the
IETF's general views on persistent threats of all kinds, b) need to have
whatever revision we make of 2804 provide for the concept that the owner
of the data is not necessarily the sender/receiver of the data and has a
vested interest in being able to control the flow of that information or
protect themselves against persistent system threats (e.g. masked
attackers) implicit in protecting against persistent privacy threats,
and c) follow the general IETF model of not reading each and every word
in any given RFC as if it were immutable truth handed down for all
eternity and trust that we can - if we have the discussion - find a way
forward through consensus building not bullying.
Later, Mike
S
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
