On Wed 2018-12-05 20:15:08 +0900, Bret Jordan wrote: >> On Dec 5, 2018, at 7:33 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> >> wrote: >>> On 05/12/2018 10:22, Bret Jordan wrote: >>> I think we should be more open minded and look at the needs from a >>> 360 degree deployment perspective. >> >> I think we should avoid marketing speak. > > This is not marketing speak. This is understanding how these solutions > need to be deployed end to end in all of their scenarios from > consumer, to small business, to enterprise, to service provider, to > content provider, to telco, etc.
Perhaps one of the reasons that this might across as marketing speak to
some people is that your list of "all their scenarios" appears to be
only business use cases (where the individual people involved are at
most consumers of business products). You haven't mentioned
journalists, disk jockeys, activists, flat earthers, dissidents,
students, medical professionals, juggalos, community organizers, gun
nuts, cryptozoologists, whistleblowers, LGBTQ folx, refugees, free
software developers, elected officials, religious minorities, senior
citizens, or any of the other non-business use cases that may depend on
TLS for confidentiality, integrity, authenticity, or any of the other
information security guarantees that are put at risk by proposals like
this.
One of the concerns the last time we danced this dance was that the
proposal claimed to be interested in one use case only: "the enterprise
data center", and yet offered no meaningful way to effectively limit its
(ab)use outside the data center. This objection was raised clearly, and
the proponents of the protocol change failed to address it. And now it
appears that instead of addressing the concern, they forum-shopped until
they found a place to publish the same approach without even
acknowledging the concern that this could have an impact beyond the data
center.
A full 360 degree view might acknowledge that doing harm to the core
priniciples of a security protocol that everyone relies on for the sake
of one particular use case out of many might not be an appropriate step
to take. (and that one use case might have other solutions, albeit
perhaps more expensive or inconveient ones for people who have already
made certain investments)
I'm pretty sure we don't want TLS to be all things to all people, right?
What are the core goals or guarantees of TLS that you would like to see
preserved?
--dkg
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
