From nobody Thu May 1 07:25:14 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 070411A08C6 for ; Thu, 1 May 2014 07:25:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_DBL_REDIR=0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ch2CObuq1sVd for ; Thu, 1 May 2014 07:25:09 -0700 (PDT) Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id C41651A08D0 for ; Thu, 1 May 2014 07:25:08 -0700 (PDT) Received: by mail-la0-f47.google.com with SMTP id pn19so2169920lab.6 for ; Thu, 01 May 2014 07:25:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mXe/aeAfV8GEmp2ddWXVVqe9Esp9RPzkRsl9UP+QXJE=; b=OfklbunrgG3U51GjcdSS/BthH7tmRjaMFOMQ/OL1397sndXOD5bgoYZO/00yCXPcDZ E2ybZ5GxRnNUXefXnPZgNiOkzidHqp83pkCy1YgpsEnsV0ySeLOUJgezIqq+TZ4GfxAP 9UH/dGTW0MzhIL7rWpAkgsAZukfDsL9nKsyZd+o7BoZqCQnmOg0LjJwzf8G/KNqKHGcx mp9LopHOFdYbwf9BjB2zPlfngH3k+1SWrOVTMWdK9uVVCsGgujuFlKZ2f7GMv5sotU/m Tn2LI0hBF5T6xsVkz1t3rP9+UutzoTREiS14yWzJDFpV7fq4ExEXilrpaE7cSKyHhRIt oiOg== MIME-Version: 1.0 X-Received: by 10.112.150.162 with SMTP id uj2mr73574lbb.52.1398954306149; Thu, 01 May 2014 07:25:06 -0700 (PDT) Received: by 10.112.234.229 with HTTP; Thu, 1 May 2014 07:25:06 -0700 (PDT) In-Reply-To: <031101cf4c3e$69901f90$3cb05eb0$@huitema.net> References: <20140330164500.GA26721@vortex.com> <031101cf4c3e$69901f90$3cb05eb0$@huitema.net> Date: Thu, 1 May 2014 10:25:06 -0400 Message-ID: From: Phillip Hallam-Baker To: Christian Huitema Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/RT74aChcBrpZ60je5RvgF8Ovol0 Cc: perpass Subject: Re: [perpass] FW: [IP] Details of how Turkey is intercepting Google Public DNS X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 14:25:13 -0000 On Sun, Mar 30, 2014 at 1:35 PM, Christian Huitema wrote: > Could be of interest for this list. An example of Internet infrastructure > vulnerability exploited by various operators. Mount an intercept attack on > the DNS protocol, and then use it for censorship or man-in-the-middle > insertion. > > From: Lauren Weinstein > Subject: [ NNSquad ] Details of how Turkey is intercepting Google Public DNS > Date: March 30, 2014 at 12:45:00 PM EDT > To: nnsquad@nnsquad.org > > > Details of how Turkey is intercepting Google Public DNS > > http://j.mp/1lwpwcV (Bortzmeyer) > > "If you try another well-known DNS resolver, such as OpenDNS, > you'll get the same problem: a liar responds instead. So, > someone replies, masquerading as the real Google Public DNS > resolver. Is it done by a network equipment on the path, as it is > common in China where you get DNS responses even from IP > addresses where no name server runs? It seems instead it was a > trick with routing: the IAP announced a route to the IP addresses > of Google, redirecting the users to an IAP's own impersonation of > Google Public DNS, a lying DNS resolver. Many IAP already hijack > Google Public DNS in such a way, typically for business reasons > (gathering data about the users, spying on them). You can see the > routing hijack on erdems' Twitter feed, using Turkish Telecom > looking glass: the routes are no normal BGP routes, with a list > of AS numbers, they are injected locally, via the IGP (so, you > won't see it in remote BGP looking glasses, unless someone in > Turkey does the same mistake that Pakistan Telecom did with > YouTube in 2008). Test yourself: ... Of course, DNSSEC would > solve the problem, if and only if validation were done on the > user's local machine, something that most users don't do today." This isn't an authenticity attack that DNSSEC is designed to protect against. It is a service attack which DNSSEC does not help against. All that DNSSEC does is to allow the user to know that they can't get to Twitter or YouTube. As someone who has recently come back from Turkey, I can assure you that you don't need DNSSEC to know that you can't get to YouTube. DNSSEC was an attempt to use the DNS as the basis for a PKI to authenticate Internet services. It can be used as a mechanism for publishing policy about Internet services. It is not a protection against service attacks. That does not make DNSSEC a bad security solution, it means that it is a solution limited to one purpose. Which is actually good. Here we have a group of users who have decided to use the Google DNS (or the Comodo DNS service or one of any number of competitors). But they can't because the packets are being interfered with. To defeat such attacks it is necessary to ensure that: * The client can verify that the information it receives comes from the intended source. * The communications between the client and server can't be identified as DNS conversations permitting them to be blocked. * The services can't be brought down by DoS attacks. If we want to go the next step and enable the use of censorship resistant transport (e.g. TOR) then it is also necessary to move up from DNS to a discovery mechanism that allows responses of the type 'to get to that particular site from where you are now, you need to use TOR') Only the second of these is strictly a privacy issue. But if you want a robust Internet privacy solution then you need a discovery and naming infrastructure that supports all of them. -- Website: http://hallambaker.com/ From nobody Sun May 4 11:34:17 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CD571A0182 for ; Sun, 4 May 2014 11:34:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.651 X-Spam-Level: X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7OEqMtO3ATK for ; Sun, 4 May 2014 11:34:15 -0700 (PDT) Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 170061A017F for ; Sun, 4 May 2014 11:34:15 -0700 (PDT) Received: from SUBMAN.elandsys.com ([197.224.156.63]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id s44IY0dR007957 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 4 May 2014 11:34:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1399228451; bh=x0x5OLc1levJY+NXPoy6r1WXPNbGOuPfqdEvCcDly7E=; h=Date:To:From:Subject; b=pLmJd+1PmtSQRemLonjBv9NsWDiiptgYuw7TQtUvH8KWwhii6lIW2K+DjYjaozXI3 V3RNEQCNIVfI72RiLNQ6oetRaH/3mnt243bQdURry+OlCjnC3x59YGm5QPtHkFf8Lp C50ASzZeuX0Nl3Qowj1zc9g4bYkdBmyiNp93a51w= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1399228451; i=@elandsys.com; bh=x0x5OLc1levJY+NXPoy6r1WXPNbGOuPfqdEvCcDly7E=; h=Date:To:From:Subject; b=gixrKKiyqKEn3MfQD/Ls9qUp9d8XrEvQoqj/pIBn4GEZBJZk9mJhlIP+h/FUz7hV6 AguFjw60yID7tDRub7HHYtWn+IKdUIYP+kq/SxCN9b7KJqSRk6JEt8QxxtnBcYeU0f by4K1vAmiVIJZ9s41vVLHNj9OorMXc89w2B0ztAc= Message-Id: <6.2.5.6.2.20140504110523.0baafc40@elandnews.com> X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6 Date: Sun, 04 May 2014 11:28:21 -0700 To: perpass@ietf.org From: S Moonesamy Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/N3pwp5GYEhzWw4NCSlqbbduRO2g Subject: [perpass] Traffic peeking - draft-moonesamy-traffic-peeking-02 X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 18:34:16 -0000 Hello, I submitted draft-moonesamy-traffic-peeking-02 ( http://tools.ietf.org/html/draft-moonesamy-traffic-peeking-02 ). The draft argues that there will be someone interested in peeking on internet traffic and looks at who will provide a level of security that is considered as acceptable. I would appreciate if you could read the draft and criticize it. Regards, S. Moonesamy From nobody Mon May 5 11:42:32 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2423A1A03E4 for ; Mon, 5 May 2014 11:42:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKae6agqvYPU for ; Mon, 5 May 2014 11:42:28 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 0DAB91A00ED for ; Mon, 5 May 2014 11:42:28 -0700 (PDT) Received: from [192.168.10.129] ([64.71.18.60]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MPIvU-1WllZ107CC-004TeL for ; Mon, 05 May 2014 20:42:23 +0200 Message-ID: <5367DB8C.7010605@gmx.net> Date: Mon, 05 May 2014 20:42:20 +0200 From: Hannes Tschofenig User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: "perpass@ietf.org" X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ONvvf8ca7K1OBPJqCFwaJd4xRN6sTWj5R" X-Provags-ID: V03:K0:3Pf+RCKWJjot3yxgNu4X3w1TFnt0OAtmAbekcxIHZnj/MLP0+jN G7OB63wqznMcmnaz7222ttOk043nUpFEgH2jItLLU6qlQcri/iuzjzvpiHNmxAdc9RWNw49 ty31bkPHVxHtqTJBCvCgb6G9oQfkXxmgFC4DfpK19ZBhgiAP7oqTAfiu8LN98hIZCGi1Sf+ /F8vluk/KY/sUFStFxXgw== Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/1lir3KvMCxe0ELMM9mahBR-lMB0 Subject: [perpass] Summary of IETF Activities on Privacy X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 18:42:30 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ONvvf8ca7K1OBPJqCFwaJd4xRN6sTWj5R Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi all, as input to a meeting of data protection authorities I tried to summarize some of the ongoing work on privacy/security in the IETF. Here is my write-up: http://www.tschofenig.priv.at/wp/?p=3D1024 Maybe you find it useful. Ciao Hannes --ONvvf8ca7K1OBPJqCFwaJd4xRN6sTWj5R Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJTZ9uMAAoJEGhJURNOOiAtAFgH/jg+O99KCUE7GALSuQqxEBH/ GsVExbRk8D4z6fAyFVe+dfwMaS5jnC7zQWpusSCDFaLhFteX1n/y4QuOTT4n7Fw3 WL1k0D/tglpK9cFICEviIgRY8oMCvDLEAXQ/P4pkEBEy+/0f5Ocvo7W/w6Rc31N5 4g4OB3yY73djusF26VdDt7y3iDUh04cj05H4XjGQoU0Q5eCPt5bG4Dfj0pizHsj2 wgeNdf796aVTiN/mLxt5Eecw9xsSHf4ysHu1JvTsNAG8NbNsJCY3RcBx2HUtnlAD dvFO9ayYPXg2t2yiu8BB2ihRp5mDlojhpYKdfhWle31h+vc6G8lPSBtv5EQ0ey4= =1gVS -----END PGP SIGNATURE----- --ONvvf8ca7K1OBPJqCFwaJd4xRN6sTWj5R-- From nobody Wed May 7 10:09:48 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48D8F1A07EE for ; Wed, 7 May 2014 10:09:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eyWqkeqOniQt for ; Wed, 7 May 2014 10:09:45 -0700 (PDT) Received: from na01-sn2-obe.outbound.o365filtering.com (mail-sn2on0623.outbound.o365filtering.com [IPv6:2a01:111:f400:fc04::623]) by ietfa.amsl.com (Postfix) with ESMTP id 40CBD1A07D4 for ; Wed, 7 May 2014 10:09:44 -0700 (PDT) Received: from BLUSR01CA104.namsdf01.sdf.exchangelabs.com (10.255.124.149) by BLUSR01MB590.namsdf01.sdf.exchangelabs.com (10.255.124.164) with Microsoft SMTP Server (TLS) id 15.0.949.3; Wed, 7 May 2014 17:09:16 +0000 Received: from SN2FFOFD004.ffo.gbl (10.255.124.132) by BLUSR01CA104.outlook.office365.com (10.255.124.149) with Microsoft SMTP Server (TLS) id 15.0.949.3 via Frontend Transport; Wed, 7 May 2014 17:09:16 +0000 Received: from hybrid.exchange.microsoft.com (131.107.159.99) by SN2FFOFD004.mail.o365filtering.com (10.111.201.41) with Microsoft SMTP Server (TLS) id 15.0.939.3 via Frontend Transport; Wed, 7 May 2014 17:09:16 +0000 Received: from DFM-TK5MBX15-08.exchange.corp.microsoft.com (157.54.109.47) by DFM-TK5EDG15-01.exchange.corp.microsoft.com (157.54.27.96) with Microsoft SMTP Server (TLS) id 15.0.913.20; Wed, 7 May 2014 10:09:11 -0700 Received: from DFM-TK5MBX15-05.exchange.corp.microsoft.com (157.54.109.44) by DFM-TK5MBX15-08.exchange.corp.microsoft.com (157.54.109.47) with Microsoft SMTP Server (TLS) id 15.0.913.20; Wed, 7 May 2014 10:09:10 -0700 Received: from DFM-TK5MBX15-05.exchange.corp.microsoft.com ([157.54.109.44]) by DFM-TK5MBX15-05.exchange.corp.microsoft.com ([169.254.5.104]) with mapi id 15.00.0913.011; Wed, 7 May 2014 10:09:10 -0700 From: Trevor Freeman To: "perpass@ietf.org" Thread-Topic: Delivering TLS Best Practices Thread-Index: Ac9qFf9J34j4TOC/T4qR9MJ41UPlpw== Date: Wed, 7 May 2014 17:09:09 +0000 Message-ID: <60767cbd31e5430bb09e651f87adee09@DFM-TK5MBX15-05.exchange.corp.microsoft.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.13] Content-Type: multipart/alternative; boundary="_000_60767cbd31e5430bb09e651f87adee09DFMTK5MBX1505exchangeco_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:131.107.159.99; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(199002)(189002)(92566001)(81542001)(81342001)(66066001)(76796001)(15202345003)(21056001)(93136001)(16236675003)(95666003)(33646001)(94946001)(76176001)(80022001)(77096001)(65816002)(31966008)(51856002)(59766002)(47736002)(56816006)(63696004)(50986002)(54356002)(47976003)(54316003)(53806002)(56776002)(99396002)(74662001)(49866002)(74502001)(47446003)(64706001)(512954002)(74706001)(69226001)(98676001)(79102001)(85306002)(94316002)(93516002)(74876001)(76786001)(84326002)(90146001)(85852003)(2656002)(77982001)(87266001)(46102001)(68736004)(84676001)(83322001)(76482001)(44976005)(97736001)(71186001)(97336001)(6806004)(97186001)(2009001)(83072002)(20776003)(15975445006)(81686001)(87936001)(95416001)(4396001)(19580395003)(19300405004)(81816001)(74366001)(19625215002)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUSR01MB590; H:hybrid.exchange.microsoft.com; FPR:; PTR:InfoDomainNonexistent; MX:1; LANG:en; X-Exchange-Antispam-Report-Test: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID: X-Forefront-PRVS: 0204F0BDE2 X-OriginatorOrg: exchange.microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/nFqZ7SzDScWJak9QzrMeFJt32UA Subject: [perpass] Delivering TLS Best Practices X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 17:09:47 -0000 --_000_60767cbd31e5430bb09e651f87adee09DFMTK5MBX1505exchangeco_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable We know we need to provide better guidance for the use of TLS with applicat= ions. We have a draft BCP in the works which is goodness. I was just looking at the TLS deployment statistics. https://www.trustworthyinternet.org/ssl-pulse/ A (hopefully) large % of the TLS code base has just been updated because of= a vulnerability. However the number of sites supporting TLS v1.2 has barle= y increased over the past month. Why is that? --_000_60767cbd31e5430bb09e651f87adee09DFMTK5MBX1505exchangeco_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

We know we need to provide better guidance for the u= se of TLS with applications. We have a draft BCP in the works which is good= ness.

 

I was just looking at the TLS deployment statistics.=

https://www.trustworthyinternet.org/ssl-pulse/

 

A (hopefully) large % of the TLS code base has just = been updated because of a vulnerability. However the number of sites suppor= ting TLS v1.2 has barley increased over the past month.

 

Why is that?

--_000_60767cbd31e5430bb09e651f87adee09DFMTK5MBX1505exchangeco_-- From nobody Wed May 7 10:14:37 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 020771A07CC for ; Wed, 7 May 2014 10:14:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.251 X-Spam-Level: X-Spam-Status: No, score=-3.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQVp6QVYIieA for ; Wed, 7 May 2014 10:14:33 -0700 (PDT) Received: from mx04.mykolab.com (mx01.mykolab.com [95.128.36.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D1181A017E for ; Wed, 7 May 2014 10:14:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at kolabsys.net Sender: fergdawgster@mykolab.com Message-ID: <536A69EB.9070607@mykolab.com> Date: Wed, 07 May 2014 10:14:19 -0700 From: Paul Ferguson Organization: Clowns R. Mofos To: Trevor Freeman References: <60767cbd31e5430bb09e651f87adee09@DFM-TK5MBX15-05.exchange.corp.microsoft.com> In-Reply-To: <60767cbd31e5430bb09e651f87adee09@DFM-TK5MBX15-05.exchange.corp.microsoft.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/esuZDPfo7YulKSCUc4zIIq-OuMQ Cc: "perpass@ietf.org" Subject: Re: [perpass] Delivering TLS Best Practices X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 17:14:36 -0000 Below: On 5/7/2014 10:09 AM, Trevor Freeman wrote: > We know we need to provide better guidance for the use of TLS with > applications. We have a draft BCP in the works which is goodness. > > I was just looking at the TLS deployment statistics. > > https://www.trustworthyinternet.org/ssl-pulse/ > > A (hopefully) large % of the TLS code base has just been updated because > of a vulnerability. However the number of sites supporting TLS v1.2 has > barley increased over the past month. I know some folks may be somewhat skeptical of NIST Guidelines in the aftermath of the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) "issue" involving NIST [1], but these guidelines are worth reviewing. FYI, - ferg [1] https://en.wikipedia.org/wiki/Dual_EC_DRBG#Software_and_hardware_which_contained_the_possible_backdoor -------- Original Message -------- Subject: NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations Date: Wed, 07 May 2014 11:23:29 -0500 From: NIST Computer Security Resource Center Reply-To: csrc.nist@service.govdelivery.com NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations *NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations* To view the full announcement of SP 800-52 Revision 1 release on the CSRC News page: http://csrc.nist.gov/news_events/#apr29 Link to the SP 800-52 Revision 1 document (NIST’s Library website): http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf SP 800-52 Rev. 1 can be found on the CSRC Special Publications page at (this link should be used as a bookmark if needed): http://csrc.nist.gov/publications/PubsSPs.html#800-52 Pat O'Reilly NIST Computer Security Division webmaster-csrc@nist.gov (Attn: Pat O'Reilly) [end] -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 From nobody Wed May 7 10:47:07 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5427A1A0251 for ; Wed, 7 May 2014 10:47:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpQ7gOhtjOHC for ; Wed, 7 May 2014 10:46:59 -0700 (PDT) Received: from na01-sn2-obe.outbound.o365filtering.com (mail-sn2on0684.outbound.o365filtering.com [IPv6:2a01:111:f400:fc04::684]) by ietfa.amsl.com (Postfix) with ESMTP id ECF141A01C1 for ; Wed, 7 May 2014 10:46:58 -0700 (PDT) Received: from BLUSR01CA102.namsdf01.sdf.exchangelabs.com (10.255.124.147) by BLUSR01MB603.namsdf01.sdf.exchangelabs.com (10.255.124.168) with Microsoft SMTP Server (TLS) id 15.0.949.3; Wed, 7 May 2014 17:46:32 +0000 Received: from BY1FFOFD001.ffo.gbl (10.255.124.132) by BLUSR01CA102.outlook.office365.com (10.255.124.147) with Microsoft SMTP Server (TLS) id 15.0.949.3 via Frontend Transport; Wed, 7 May 2014 17:46:32 +0000 Received: from hybrid.exchange.microsoft.com (131.107.159.99) by BY1FFOFD001.mail.o365filtering.com (10.1.16.83) with Microsoft SMTP Server (TLS) id 15.0.939.3 via Frontend Transport; Wed, 7 May 2014 17:46:32 +0000 Received: from DFM-TK5MBX15-08.exchange.corp.microsoft.com (157.54.109.47) by DFM-TK5EDG15-01.exchange.corp.microsoft.com (157.54.27.96) with Microsoft SMTP Server (TLS) id 15.0.913.20; Wed, 7 May 2014 10:46:29 -0700 Received: from DFM-TK5MBX15-05.exchange.corp.microsoft.com (157.54.109.44) by DFM-TK5MBX15-08.exchange.corp.microsoft.com (157.54.109.47) with Microsoft SMTP Server (TLS) id 15.0.913.20; Wed, 7 May 2014 10:46:28 -0700 Received: from DFM-TK5MBX15-05.exchange.corp.microsoft.com ([157.54.109.44]) by DFM-TK5MBX15-05.exchange.corp.microsoft.com ([169.254.5.104]) with mapi id 15.00.0913.011; Wed, 7 May 2014 10:46:10 -0700 From: Trevor Freeman To: "fergdawgster@mykolab.com" Thread-Topic: [perpass] Delivering TLS Best Practices Thread-Index: Ac9qFf9J34j4TOC/T4qR9MJ41UPlpwAPHUiAAA27UqA= Date: Wed, 7 May 2014 17:46:09 +0000 Message-ID: <79ea93e076f1420a9ebb1d28aa3bc897@DFM-TK5MBX15-05.exchange.corp.microsoft.com> References: <60767cbd31e5430bb09e651f87adee09@DFM-TK5MBX15-05.exchange.corp.microsoft.com> <536A69EB.9070607@mykolab.com> In-Reply-To: <536A69EB.9070607@mykolab.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.13] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.159.99; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(1?= =?us-ascii?Q?89002)(199002)(479174003)(377454003)(51704005)(69234005)(243?= =?us-ascii?Q?025004)(24454002)(13464003)(33646001)(575784001)(93516002)(9?= =?us-ascii?Q?9396002)(94316002)(66066001)(92566001)(76796001)(80022001)(9?= =?us-ascii?Q?7336001)(15975445006)(93136001)(21056001)(23726002)(4396001)?= =?us-ascii?Q?(76482001)(74366001)(90146001)(85852003)(76786001)(2656002)(?= =?us-ascii?Q?19580395003)(85306002)(56816006)(83322001)(63696004)(5976600?= =?us-ascii?Q?2)(65816002)(87266001)(44976005)(74502001)(31966008)(7798200?= =?us-ascii?Q?1)(54316003)(56776002)(47736002)(47976003)(49866002)(8793600?= =?us-ascii?Q?1)(46102001)(51856002)(95416001)(69226001)(50466002)(2077600?= =?us-ascii?Q?3)(81542001)(97186001)(6806004)(79102001)(19580405001)(77096?= =?us-ascii?Q?001)(95666003)(83072002)(47776003)(81686001)(15202345003)(68?= =?us-ascii?Q?736004)(50986002)(98676001)(84676001)(54356002)(53806002)(47?= =?us-ascii?Q?446003)(74662001)(81342001)(74706001)(97756001)(74876001)(94?= =?us-ascii?Q?946001)(97736001)(46406003)(2009001)(64706001)(81816001)(247?= =?us-ascii?Q?04002)(24736002);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUSR01MB603;H:?= =?us-ascii?Q?hybrid.exchange.microsoft.com;FPR:;PTR:InfoDomainNonexistent?= =?us-ascii?Q?;MX:1;LANG:en;?= X-Exchange-Antispam-Report-Test: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID: X-Forefront-PRVS: 0204F0BDE2 X-OriginatorOrg: exchange.microsoft.com Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/U2NxxrKO2iDDETAPEINH9qliqNQ Cc: "perpass@ietf.org" Subject: Re: [perpass] Delivering TLS Best Practices X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 17:47:04 -0000 I know everyone will not agree with a positions. There is still a lot of folks out there who believe Neil Armstrong never le= ft a sound stage in California,=20 We did not have a credibility problem with Heart bleed so why is this diffe= rent? -----Original Message----- From: fergdawgster@mykolab.com [mailto:fergdawgster@mykolab.com]=20 Sent: Wednesday, May 07, 2014 10:14 AM To: Trevor Freeman Cc: perpass@ietf.org Subject: Re: [perpass] Delivering TLS Best Practices Below: On 5/7/2014 10:09 AM, Trevor Freeman wrote: > We know we need to provide better guidance for the use of TLS with=20 > applications. We have a draft BCP in the works which is goodness. >=20 > I was just looking at the TLS deployment statistics. >=20 > https://www.trustworthyinternet.org/ssl-pulse/ >=20 > A (hopefully) large % of the TLS code base has just been updated=20 > because of a vulnerability. However the number of sites supporting TLS=20 > v1.2 has barley increased over the past month. I know some folks may be somewhat skeptical of NIST Guidelines in the after= math of the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Gene= rator) "issue" involving NIST [1], but these guidelines are worth reviewing= . FYI, - ferg [1] https://en.wikipedia.org/wiki/Dual_EC_DRBG#Software_and_hardware_which_cont= ained_the_possible_backdoor -------- Original Message -------- Subject: NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transpo= rt Layer Security (TLS) Implementations Date: Wed, 07 May 2014 11:23:29 -0500 From: NIST Computer Security Resource Center Reply-To: csrc.nist@service.govdelivery.com NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, G= uidelines for the Selection, Configuration, and Use of Transport Layer Secu= rity (TLS) Implementations *NIST Announced the Release of Special Publication (SP) 800-52 Revision 1, = Guidelines for the Selection, Configuration, and Use of Transport Layer Sec= urity (TLS) Implementations* To view the full announcement of SP 800-52 Revision 1 release on the CSRC N= ews page: http://csrc.nist.gov/news_events/#apr29 Link to the SP 800-52 Revision 1 document (NIST's Library website): http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf <= http://links.govdelivery.com:80/track?type=3Dclick&enid=3DZWFzPTEmbWFpbGluZ= 2lkPTIwMTQwNTA3LjMxOTY2MzExJm1lc3NhZ2VpZD1NREItUFJELUJVTC0yMDE0MDUwNy4zMTk2= NjMxMSZkYXRhYmFzZWlkPTEwMDEmc2VyaWFsPTE2ODcyODE4JmVtYWlsaWQ9ZmVyZ2Rhd2dzdGV= yQG15a29sYWIuY29tJnVzZXJpZD1mZXJnZGF3Z3N0ZXJAbXlrb2xhYi5jb20mZmw9JmV4dHJhPU= 11bHRpdmFyaWF0ZUlkPSYmJg=3D=3D&&&101&&&http://nvlpubs.nist.gov/nistpubs/Spe= cialPublications/NIST.SP.800-52r1.pdf> SP 800-52 Rev. 1 can be found on the CSRC Special Publications page at (thi= s link should be used as a bookmark if needed): http://csrc.nist.gov/publications/PubsSPs.html#800-52 Pat O'Reilly NIST Computer Security Division webmaster-csrc@nist.gov (Attn: Pat O'Reilly) [end] -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 From nobody Wed May 7 13:17:59 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00D251A0207 for ; Wed, 7 May 2014 13:17:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.653 X-Spam-Level: X-Spam-Status: No, score=-2.653 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tumfQDZUFwMA for ; Wed, 7 May 2014 13:17:56 -0700 (PDT) Received: from escorpra2.sonicwall.com (escorpra2.sonicwall.com [IPv6:2620:9f:12:cacb::202]) by ietfa.amsl.com (Postfix) with ESMTP id 5CA401A01AE for ; Wed, 7 May 2014 13:17:56 -0700 (PDT) Received: from escorpra2.sonicwall.com (127.0.0.1) id hdaaf00171s8 for ; Wed, 7 May 2014 11:45:07 -0700 (envelope-from ) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sonicwall.com; s=20131206; h=Received:Received:Message-ID:Date: From:User-Agent:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=i3aS4RWnu uDXdoOYi2xWmMF6uH/oyHJop99AL2yRHgg=; b=HjRAraYIQUkcHqZQ1DvYRGGxp 1lHI5o1jy9tXmQSuV/bB36oKgx3/7oY5p1uu9U5XsGYlwkUQRB5awEe96sGfEgzb MtVsBNV4ZXROJApw5rA5bsRKt4ypUJnTmobQiM52RBj234HFwYSPt0RJDishzxbf a3MAizuU4Jw70QoaKacX08ETfKUdPVfMNWF81i+/spipdLBqfPHddLUjC8I148Sz 5kfy23jUTBhjBNoF8hKG+iw1QyqF76ZtOVfBZ2ewGd3IMwXtyqVMdznMrBkcN7Om eLmfpftG+XQCCtTL2DlVRO9ek8tTo9Joy40jSCGXY36PY3fUzh0jZlCJ+8t8Q== Received: from US0EXCHT02.us.sonicwall.com ([10.50.128.134]) by escorpra2.sonicwall.com (SonicWALL 8.0.0.2099) with ESMTP (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128/128) id 201405071845070139355; Wed, 07 May 2014 11:45:07 -0700 Received: from clavinova.eng.sonicwall.com (10.50.14.40) by US0EXCHT02.us.sonicwall.com (10.50.128.200) with Microsoft SMTP Server id 8.3.327.1; Wed, 7 May 2014 11:45:06 -0700 Message-ID: <536A7F32.6040003@sonicwall.com> Date: Wed, 7 May 2014 11:45:06 -0700 From: "Carl S. Gutekunst" User-Agent: Thunderbird 2.0.0.24 (X11/20100228) MIME-Version: 1.0 To: Trevor Freeman References: <60767cbd31e5430bb09e651f87adee09@DFM-TK5MBX15-05.exchange.corp.microsoft.com> In-Reply-To: <60767cbd31e5430bb09e651f87adee09@DFM-TK5MBX15-05.exchange.corp.microsoft.com> X-Stationery: 0.5.1 Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Mlf-Version: 8.0.0.2099 X-Mlf-UniqueId: o201405071845070139355 Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/m4qk_K-JAZITn7_whRwHx46_EWY Cc: "perpass@ietf.org" Subject: Re: [perpass] Delivering TLS Best Practices X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2014 20:17:58 -0000 > I was just looking at the TLS deployment statistics. > > https://www.trustworthyinternet.org/ssl-pulse/ > > A (hopefully) large % of the TLS code base has just been updated > because of a vulnerability. However the number of sites supporting TLS > v1.2 has barley increased over the past month. > > Why is that? > Well, first, only a small fraction of the TLS installed base was actually affected by Heartbleed. Second, if you have a TLS v1.0 product and you want to bump that to TLS v1.2, it requires development work. Finally, Heartbleed reinforced the opinion of some management chains that OpenSSL 1.0.1 is still "bleeding edge" and not yet ready for prime-time. (I can't count the number of people I've heard in the past month proudly proclaiming they're still on OpenSSL 0.9.8.) From nobody Tue May 13 02:00:06 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90F9D1A018F for ; Tue, 13 May 2014 02:00:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSW1USBmvvSr for ; Tue, 13 May 2014 02:00:03 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 280AF1A0448 for ; Tue, 13 May 2014 02:00:03 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id A6838BE80 for ; Tue, 13 May 2014 09:59:56 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5bYBQSfEUtp for ; Tue, 13 May 2014 09:59:56 +0100 (IST) Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 889C9BE6F for ; Tue, 13 May 2014 09:59:56 +0100 (IST) Message-ID: <5371DF0C.7000409@cs.tcd.ie> Date: Tue, 13 May 2014 09:59:56 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: perpass References: <20140513044535.3928818000E@rfc-editor.org> In-Reply-To: <20140513044535.3928818000E@rfc-editor.org> X-Enigmail-Version: 1.6 X-Forwarded-Message-Id: <20140513044535.3928818000E@rfc-editor.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/nAB-5U6lKhc7GiHAHBs0375G-s8 Subject: [perpass] Fwd: BCP 188, RFC 7258 on Pervasive Monitoring Is an Attack X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 09:00:04 -0000 FYI. Thanks to everyone who contributed, and who is continuing to contribute as we get into the more detailed work... Cheers, S. -------- Original Message -------- Subject: BCP 188, RFC 7258 on Pervasive Monitoring Is an Attack Date: Mon, 12 May 2014 21:45:35 -0700 (PDT) From: rfc-editor@rfc-editor.org Reply-To: ietf@ietf.org To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org CC: drafts-update-ref@iana.org, rfc-editor@rfc-editor.org A new Request for Comments is now available in online RFC libraries. BCP 188 RFC 7258 Title: Pervasive Monitoring Is an Attack Author: S. Farrell, H. Tschofenig Status: Best Current Practice Stream: IETF Date: May 2014 Mailbox: stephen.farrell@cs.tcd.ie, Hannes.Tschofenig@gmx.net Pages: 6 Characters: 13396 See Also: BCP 188 I-D Tag: draft-farrell-perpass-attack-06.txt URL: http://www.rfc-editor.org/rfc/rfc7258.txt Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible. BCP: This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/search For downloading RFCs, see http://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From nobody Tue May 13 09:24:40 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C45921A00E3 for ; Tue, 13 May 2014 09:24:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q97JDpa1hJ5h for ; Tue, 13 May 2014 09:24:36 -0700 (PDT) Received: from mail-ve0-f176.google.com (mail-ve0-f176.google.com [209.85.128.176]) by ietfa.amsl.com (Postfix) with ESMTP id E190E1A00DD for ; Tue, 13 May 2014 09:24:35 -0700 (PDT) Received: by mail-ve0-f176.google.com with SMTP id jz11so747342veb.7 for ; Tue, 13 May 2014 09:24:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=bSeSUwqVVHSHWiz6QpaDwMLxGdsbedyfEPywc2ja+sk=; b=AduF90jmIZvGTZBvmLfKMTVQFrbI9NOL1scOvCoG1i7vsO8KxXkreBCYspvOYVKNiW TXaKtJHbZe3cA0B4M5bFmtJfI0PAzfTClG0R+8fo1WTMNQGkE9bHiCdjcN1mux3v9nFj +U9JCUmPl+7PS5uUgguK1zSN57KiT9WeoTXyjMDfvCHSwyv+sS354zXb7ENhAHkAp8zQ jfQmFiz6/wsejTvs8d+GHUfrCjJv9jdVKMTmRSmEvLT3mGHibQhBIuW97jLrMyCBhxhi Wm5T2Moee7vjYEzuRkRMEVSeTsLMCgn8d+fEpRxiyNuMavRhdvKrxTwy+AdAV/OMI3Mf MMGw== X-Gm-Message-State: ALoCoQlP4QOlZloy45mjrOaFGHGzC5y5nmoX2WV9qBgqCCS0xxxodbNLc9qDu3zkaAl3xraWElPZ X-Received: by 10.220.166.211 with SMTP id n19mr912823vcy.69.1399998269303; Tue, 13 May 2014 09:24:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.98.73 with HTTP; Tue, 13 May 2014 09:24:09 -0700 (PDT) X-Originating-IP: [24.84.235.32] In-Reply-To: <5371DF0C.7000409@cs.tcd.ie> References: <20140513044535.3928818000E@rfc-editor.org> <5371DF0C.7000409@cs.tcd.ie> From: Tim Bray Date: Tue, 13 May 2014 09:24:09 -0700 Message-ID: To: Stephen Farrell Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/AuUP92pAvVCdc5PMn95u2W2-RYk Cc: perpass Subject: Re: [perpass] Fwd: BCP 188, RFC 7258 on Pervasive Monitoring Is an Attack X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 16:24:38 -0000 Anybody have plans to stage a nice real-HTML version? I just bought bcp188.com and .net, would be happy to donate it. On Tue, May 13, 2014 at 1:59 AM, Stephen Farrell wrote: > > FYI. Thanks to everyone who contributed, and who > is continuing to contribute as we get into the > more detailed work... > > Cheers, > S. > > > -------- Original Message -------- > Subject: BCP 188, RFC 7258 on Pervasive Monitoring Is an Attack > Date: Mon, 12 May 2014 21:45:35 -0700 (PDT) > From: rfc-editor@rfc-editor.org > Reply-To: ietf@ietf.org > To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org > CC: drafts-update-ref@iana.org, rfc-editor@rfc-editor.org > > A new Request for Comments is now available in online RFC libraries. > > BCP 188 > RFC 7258 > > Title: Pervasive Monitoring Is an Attack > Author: S. Farrell, H. Tschofenig > Status: Best Current Practice > Stream: IETF > Date: May 2014 > Mailbox: stephen.farrell@cs.tcd.ie, > Hannes.Tschofenig@gmx.net > Pages: 6 > Characters: 13396 > See Also: BCP 188 > > I-D Tag: draft-farrell-perpass-attack-06.txt > > URL: http://www.rfc-editor.org/rfc/rfc7258.txt > > Pervasive monitoring is a technical attack that should be mitigated > in the design of IETF protocols, where possible. > > > BCP: This document specifies an Internet Best Current Practices for the > Internet Community, and requests discussion and suggestions for > improvements. Distribution of this memo is unlimited. > > This announcement is sent to the IETF-Announce and rfc-dist lists. > To subscribe or unsubscribe, see > http://www.ietf.org/mailman/listinfo/ietf-announce > http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist > > For searching the RFC series, see http://www.rfc-editor.org/search > For downloading RFCs, see http://www.rfc-editor.org/rfc.html > > Requests for special distribution should be addressed to either the > author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless > specifically noted otherwise on the RFC itself, all RFCs are for > unlimited distribution. > > > The RFC Editor Team > Association Management Solutions, LLC > > > > > > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass --=20 - Tim Bray (If you=E2=80=99d like to send me a private message, see https://keybase.io/timbray) From nobody Wed May 14 15:34:01 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F3E31A032C for ; Wed, 14 May 2014 15:34:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.897 X-Spam-Level: X-Spam-Status: No, score=-0.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkHJoaXsbD-y for ; Wed, 14 May 2014 15:33:59 -0700 (PDT) Received: from gproxy1-pub.mail.unifiedlayer.com (gproxy1-pub.mail.unifiedlayer.com [69.89.25.95]) by ietfa.amsl.com (Postfix) with SMTP id 930621A01C9 for ; Wed, 14 May 2014 15:33:59 -0700 (PDT) Received: (qmail 29407 invoked by uid 0); 14 May 2014 22:33:48 -0000 Received: from unknown (HELO CMOut01) (10.0.90.82) by gproxy1.mail.unifiedlayer.com with SMTP; 14 May 2014 22:33:48 -0000 Received: from box514.bluehost.com ([74.220.219.114]) by CMOut01 with id 1yZh1o00b2UhLwi01yZk6f; Wed, 14 May 2014 16:33:48 -0600 X-Authority-Analysis: v=2.1 cv=EOmVjTpC c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=4eyjf-e663kA:10 a=gFkpWMPHNEkA:10 a=3NT3xRclEPMA:10 a=8nJEP1OIZ-IA:10 a=ieNpE_y6AAAA:8 a=XYUc-DgfXtMA:10 a=vS7MmSmxvPQA:10 a=AnklhzGT574e_Aa0tacA:9 a=wPNLvfGTeEIA:10 a=l7s00jE6L3AA:10 a=yqOZa_egV3QA:10 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=eEmxxBNPeUGlrxsZsHGS6IYcY0/1MMAwaj0CVohSMQc=; b=7xl5DLMgkxZirI8EXqEf1LYffX6aR5TuHfaUDEVpiqKZrR5EgSrnjJ5J9nAoscb5hKMu6U33ayAlJrtTwjywyoK7NGcVd4aiXUY50Z1iHiX9sStOrog2OSo3xLzM2AZ3; Received: from [216.113.168.128] (port=22813 helo=[10.244.137.220]) by box514.bluehost.com with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.82) (envelope-from ) id 1Wkhk5-0004Kv-FE; Wed, 14 May 2014 16:33:41 -0600 Message-ID: <5373EF43.8080102@KingsMountain.com> Date: Wed, 14 May 2014 15:33:39 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130330 Thunderbird/17.0.5 MIME-Version: 1.0 To: Stephen Farrell , Hannes Tschofenig Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/frCNAiZyB822UKmsoV45s3epRM0 Cc: perpass Subject: [perpass] Re: BCP 188, RFC 7258 on Pervasive Monitoring Is an Attack X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 May 2014 22:34:00 -0000 congrats to you guys for getting this nailed down. =JeffH From nobody Fri May 16 13:30:03 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D391A015F for ; Fri, 16 May 2014 13:30:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.199 X-Spam-Level: X-Spam-Status: No, score=0.199 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZKdJO7_njIx for ; Fri, 16 May 2014 13:29:59 -0700 (PDT) Received: from mail-pb0-x236.google.com (mail-pb0-x236.google.com [IPv6:2607:f8b0:400e:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B485B1A01EE for ; Fri, 16 May 2014 13:29:59 -0700 (PDT) Received: by mail-pb0-f54.google.com with SMTP id jt11so3077818pbb.27 for ; Fri, 16 May 2014 13:29:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=sku6/oywaeIWZLqCLVR9Sjr4QTA3VICyxg327mWvOBk=; b=gDXcgY0HmF4M2njOEmT5nwi32k/QiWtYru3j3z4UeufbQStII1+J0DLYyAVaYHK5Ki PkVEbu4roDYoHKbq2FnNVC8adwKZqrWLzka+WkRH29dJJCOw/hKkJkJNgUhcjOFp0hps WFz8Gundlrin6LFxMwP1pGO3+w+++mVOLpwsRYy59hxKS3syhWE80SXfWUlov3Jtd9Vg SiOBP90tvcOjTRV6nH6dcpadAuVU8MADh06HPRX9tHn2MLBiYLw/hRSj6Z1O0/CqKjDc U0/6P592Er2A00BLsqr8pkhHn9PfrGyBwpcyiY2lQ/d4Mp+PQs9Cp579pxJxaeByuU/D QIDA== X-Received: by 10.66.180.141 with SMTP id do13mr23819476pac.93.1400272191864; Fri, 16 May 2014 13:29:51 -0700 (PDT) Received: from [192.168.178.20] (99.199.69.111.dynamic.snap.net.nz. [111.69.199.99]) by mx.google.com with ESMTPSA id ay3sm16108855pbb.62.2014.05.16.13.29.50 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 May 2014 13:29:51 -0700 (PDT) Message-ID: <53767549.4090806@gmail.com> Date: Sat, 17 May 2014 08:30:01 +1200 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: perpass@ietf.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/cuSBPJIIPXKm_ng6Z1OSUSjaaco Subject: [perpass] =?utf-8?q?Crypto_Won=E2=80=99t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 20:30:01 -0000 I've been waiting for Peter Gutmann's slides to appear on line since I first saw them some months ago. Well worth studying: http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf Favourite quotes: "It's probably at least some sort of sign of the end times when your conference badge has a rootkit." "There were so many other ways to render DKIM ineffective that no-one bothered attacking the crypto." News story: http://www.theregister.co.uk/2014/05/16/kiwi_prof_calls_bunk_on_nsaproof_tech_says_crypto_is_enough/ Regards Brian From nobody Fri May 16 13:34:01 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B92E1A02B2 for ; Fri, 16 May 2014 13:34:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.852 X-Spam-Level: X-Spam-Status: No, score=-0.852 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mv0cRbmSRi39 for ; Fri, 16 May 2014 13:33:58 -0700 (PDT) Received: from toccata.fugue.com (toccata.fugue.com [204.152.186.142]) by ietfa.amsl.com (Postfix) with ESMTP id B5EB61A01D4 for ; Fri, 16 May 2014 13:33:58 -0700 (PDT) Received: from [10.0.10.40] (c-174-62-147-182.hsd1.nh.comcast.net [174.62.147.182]) by toccata.fugue.com (Postfix) with ESMTPSA id 8BB5E2380914; Fri, 16 May 2014 16:33:50 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: Ted Lemon In-Reply-To: <53767549.4090806@gmail.com> Date: Fri, 16 May 2014 16:33:44 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <53767549.4090806@gmail.com> To: Brian E Carpenter X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/s3cIe5SrNhNYz4kRUs6dGyT8QsE Cc: perpass@ietf.org Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 20:34:00 -0000 On May 16, 2014, at 4:30 PM, Brian E Carpenter = wrote: > News story: > = http://www.theregister.co.uk/2014/05/16/kiwi_prof_calls_bunk_on_nsaproof_t= ech_says_crypto_is_enough/ I particularly like the fact that one of the examples he uses of weak = implementations is that lovely ransomware that encrypts your hard drive = and then demands payment: apparently it's quite easy to hack to = de-encrypt your hard drive because it's so poorly done. Poetic = justice. From nobody Fri May 16 13:41:49 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3F041A0317 for ; Fri, 16 May 2014 13:41:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.7 X-Spam-Level: X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwgPlp1eku6A for ; Fri, 16 May 2014 13:41:43 -0700 (PDT) Received: from mail-pb0-x22e.google.com (mail-pb0-x22e.google.com [IPv6:2607:f8b0:400e:c01::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 163DD1A02B2 for ; Fri, 16 May 2014 13:41:43 -0700 (PDT) Received: by mail-pb0-f46.google.com with SMTP id rq2so3069516pbb.19 for ; Fri, 16 May 2014 13:41:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=0w3LB8AZ7XG6Gf7Sv/1MnxpkcTk3DWrpggztA/9jtag=; b=CDzgN4+olyaCCY2LiIi1cGj4qqC8YBV9auJgJJTGJlT8VzdDuDduASkWAwT8W5+c24 pzld3QtVvwFgwC8+JyPlrf/PsVN8HXRIUIBAoHzuKDpXELqbZYs+KHrvoQwQqe05JIbu DhG1NLJgBVV4iE82sC4xvCJZMhuoSCGsKo8axBckHItveQ6tH0zzzwzdYjgnDaFfkQyD Kvj8Gv4JiqJg8W3jKTRmyptqBMHgVDSLbpITmq+aezRqMiAytURKWhdtEGQ30hDDdsiq GFyIr9Eke7GYBT4joxcxtpB1OlwbCsXKtMiX+44sIX6KYk4a9p9Iv/lZXNwl/jZYXQtg etfw== X-Received: by 10.66.177.168 with SMTP id cr8mr23846257pac.128.1400272895611; Fri, 16 May 2014 13:41:35 -0700 (PDT) Received: from spandex.local (63-140-81-2.nwc.dsl.dynamic.acsalaska.net. [63.140.81.2]) by mx.google.com with ESMTPSA id op3sm16148468pbc.40.2014.05.16.13.41.34 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 May 2014 13:41:35 -0700 (PDT) Message-ID: <537677FC.1050301@gmail.com> Date: Fri, 16 May 2014 12:41:32 -0800 From: Melinda Shore User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Brian E Carpenter , perpass@ietf.org References: <53767549.4090806@gmail.com> In-Reply-To: <53767549.4090806@gmail.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/kq1WdeSWzhUnOhmVZrF_Er2GxN0 Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 20:41:44 -0000 On 5/16/14 12:30 PM, Brian E Carpenter wrote: > "There were so many other ways to render DKIM ineffective > that no-one bothered attacking the crypto." I wish I could remember the source for this - I'm pretty sure I heard it at the IETF (EKR?): strong crypto in too many cases is like using an armored car to transport something between two guys living in cardboard boxes. Melinda From nobody Fri May 16 13:52:44 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7A01A0347 for ; Fri, 16 May 2014 13:52:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.452 X-Spam-Level: X-Spam-Status: No, score=-8.452 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FWkMOuXU97zB for ; Fri, 16 May 2014 13:52:38 -0700 (PDT) Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CF5D1A0348 for ; Fri, 16 May 2014 13:52:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1012; q=dns/txt; s=iport; t=1400273551; x=1401483151; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=Uy44JlqG8duCgvMLkckjeP9I5uaE+Up8+EHDbnixcu0=; b=E26NA79ER12p8vKD4KvtSAzUKlKbsBXBKQhi7wXrAxrTt7kh+aDyRt0u 1Y2pvkI82/OtaSkn2s/ASqmlGotE5JQOKNec2pUstfs0aRSJ0ReTpajTI 66UEWwlRn8ZgeG/gdTwzT9Ry8RkHET+XWQTqt4WBYxh6L3eOAwJzehqYI E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqMEAE95dlOtJssW/2dsb2JhbABZg1WDQcEXAYEtdIIlAQEBAgIjRRARCxgCAgUWCwICCQMCAQIBOgsGAQwIAQEbiCINrTOkUReBKo0sgnWBSwEDmViBPZFcgzk7 X-IronPort-AV: E=Sophos;i="4.97,1069,1389744000"; d="scan'208";a="46999354" Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP; 16 May 2014 20:52:29 +0000 Received: from ELEAR-M-C3ZS.CISCO.COM ([10.61.203.55]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s4GKqSlx019237; Fri, 16 May 2014 20:52:29 GMT Message-ID: <53767A8C.3040103@cisco.com> Date: Fri, 16 May 2014 22:52:28 +0200 From: Eliot Lear User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Brian E Carpenter , perpass@ietf.org References: <53767549.4090806@gmail.com> In-Reply-To: <53767549.4090806@gmail.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/JKW8T--HAfoycy844IJ6oItfmgQ Subject: Re: [perpass] =?utf-8?q?Crypto_Won=E2=80=99t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 20:52:40 -0000 Hi, On 5/16/14, 10:30 PM, Brian E Carpenter wrote: > I've been waiting for Peter Gutmann's slides to appear on line > since I first saw them some months ago. Well worth studying: > > http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf > > Favourite quotes: "It's probably at least some sort of sign > of the end times when your conference badge has a rootkit." > > "There were so many other ways to render DKIM ineffective > that no-one bothered attacking the crypto." > Except for [1], of course. I am also not one for these sorts of laundry list presentations, as it comes across as the sky is falling, and leads one to not take responsibility for one's own faults. The public statements from our leadership on this have been quite clear: we will fix what we can fix... and perhaps exhort others to fix what they can fix. Anyone who thinks this is a sprint is in the wrong race. It's a STRINT ;-) Eliot [1] http://www.theregister.co.uk/2012/10/24/uscert_dkim_spoofing_flaw/ From nobody Fri May 16 13:53:16 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1FE1A0312 for ; Fri, 16 May 2014 13:53:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.619 X-Spam-Level: X-Spam-Status: No, score=-1.619 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3k0rbBKsmEdG for ; Fri, 16 May 2014 13:53:12 -0700 (PDT) Received: from escorpra2.sonicwall.com (mail.sonicwall.com [67.115.118.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D66C1A02E3 for ; Fri, 16 May 2014 13:53:12 -0700 (PDT) Received: from escorpra2.sonicwall.com (127.0.0.1) id heptb20171s9 for ; Fri, 16 May 2014 13:52:43 -0700 (envelope-from ) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sonicwall.com; s=20131206; h=Received:Received:Message-ID:Date: From:User-Agent:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=HX7DuPajU yBue5Py10s38u7tlGWqt4lL8FoLbhNWoFo=; b=lQMf+XMt7XaSrP8+c/fW6J2Wq cxlxb0mHtp4/tYk7dPGQlrVlRDNPwFjIwzuWiAWhPi4I4qQVDXtWlUNyimUJoozG cjdl1/CWr1hLTCC4+p8yXL9VozimUMar/f5VaHh33HXtzL/t4Br9PX6KM3kXa9NG uB2xZ1YnuDjTT6NPBX/kh4EfoObV4+DsNz7e/9R3ykweyRAHhebo88+ftKPbeBpg QAyIij8il8BkabicVNvBu5hY+NvdqXYSVX/T8VWNvSrB0NI8pkNLV+t2Uahe/saI K5G//ZyB6MZEqcK/xnJRl3FiIGujFkj4sydzCcGg0j7kKZh4PLWFlV1ewEQog== Received: from US0EXCHT02.us.sonicwall.com ([10.50.128.134]) by escorpra2.sonicwall.com (SonicWALL 8.0.0.2099) with ESMTP (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128/128) id 201405162052430125171; Fri, 16 May 2014 13:52:43 -0700 Received: from clavinova.eng.sonicwall.com (10.50.14.40) by US0EXCHT02.us.sonicwall.com (10.50.128.200) with Microsoft SMTP Server id 8.3.327.1; Fri, 16 May 2014 13:52:43 -0700 Message-ID: <53767A9B.6050309@sonicwall.com> Date: Fri, 16 May 2014 13:52:43 -0700 From: "Carl S. Gutekunst" User-Agent: Thunderbird 2.0.0.24 (X11/20100228) MIME-Version: 1.0 To: Melinda Shore References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> In-Reply-To: <537677FC.1050301@gmail.com> X-Stationery: 0.5.1 Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit X-Mlf-Version: 8.0.0.2099 X-Mlf-UniqueId: o201405162052430125171 Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/DqbHJyRXtMpvOZykugZeaH828W4 Cc: "perpass@ietf.org" Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 20:53:13 -0000 > I wish I could remember the source for this - I'm pretty > sure I heard it at the IETF (EKR?): strong crypto in too > many cases is like using an armored car to transport something > between two guys living in cardboard boxes. Old one, usually attributed to Gene Spafford -- Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. From nobody Fri May 16 14:41:51 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7031B1A02AC for ; Fri, 16 May 2014 14:41:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.252 X-Spam-Level: X-Spam-Status: No, score=-2.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1RsHRu16hSY for ; Fri, 16 May 2014 14:41:47 -0700 (PDT) Received: from toccata.fugue.com (toccata.fugue.com [204.152.186.142]) by ietfa.amsl.com (Postfix) with ESMTP id 02F2B1A0218 for ; Fri, 16 May 2014 14:41:47 -0700 (PDT) Received: from [10.0.10.40] (c-174-62-147-182.hsd1.nh.comcast.net [174.62.147.182]) by toccata.fugue.com (Postfix) with ESMTPSA id C58D72380930; Fri, 16 May 2014 17:41:38 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: Ted Lemon In-Reply-To: <53767A9B.6050309@sonicwall.com> Date: Fri, 16 May 2014 17:41:36 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> To: "Carl S. Gutekunst" X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/dhzOwP3eRf-rq0-GEAPt4r8G-ys Cc: "perpass@ietf.org" , Melinda Shore Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 21:41:48 -0000 On May 16, 2014, at 4:52 PM, Carl S. Gutekunst = wrote: > Using encryption on the Internet is the equivalent of arranging > an armored car to deliver credit-card information from someone > living in a cardboard box to someone living on a park bench. The thing I really hate about these metaphors is that they lead one to = the conclusion that it's pointless to use strong crypto, when really the = conclusion one should draw is that one should try to avoid living in = cardboard boxes, where possible. From nobody Fri May 16 14:47:17 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27A0E1A0191 for ; Fri, 16 May 2014 14:47:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.7 X-Spam-Level: X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sl4fHWXN6W5h for ; Fri, 16 May 2014 14:47:13 -0700 (PDT) Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C3F31A0116 for ; Fri, 16 May 2014 14:47:13 -0700 (PDT) Received: by mail-pa0-f51.google.com with SMTP id kq14so3036400pab.24 for ; Fri, 16 May 2014 14:47:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=/U4Jqnll3MMqzggSwq1YJcicBEe7cOi6ACOyIRavBG0=; b=OyzXQzgWzUDCxlijf1xwVM0ilHpoCayint5gVM0WT1WuHURrmFIBc23SLCP+FU6OXV FWZqJLD3HIS4P++I9CacvV8St/HcQvFaNwTqhkTicPMqMd43qku+Zz55nfTjE6ynEU/m QIvCQYr7BF1o/T0w5Cy2hDQTUNJjWnfBdVHr/gf3cC643o66GbsNkNcD7K61WqbRdOMc 7GV5Y+coPsnc04aNrQz2TGIHlv+2VldLkS4P1dah2CGQMarQC8EjI8IVExeNxjtB6Vzd r7077csg8PdziOU1M9nFYb1igjvRzOt2W2a8EAG7Fc/XQeZ3/bpvT3oliS9ALzahyiON pDeA== X-Received: by 10.68.201.97 with SMTP id jz1mr24181507pbc.26.1400276825886; Fri, 16 May 2014 14:47:05 -0700 (PDT) Received: from spandex.local (63-140-81-2.nwc.dsl.dynamic.acsalaska.net. [63.140.81.2]) by mx.google.com with ESMTPSA id xg4sm16308834pbb.47.2014.05.16.14.47.04 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 May 2014 14:47:05 -0700 (PDT) Message-ID: <53768757.40006@gmail.com> Date: Fri, 16 May 2014 13:47:03 -0800 From: Melinda Shore User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Ted Lemon , "Carl S. Gutekunst" References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> In-Reply-To: <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/ZKxWoIkiuA-CsJQ1GU5Kr7m0kRg Cc: "perpass@ietf.org" Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 21:47:14 -0000 On 5/16/14 1:41 PM, Ted Lemon wrote: > The thing I really hate about these metaphors is that they lead one > to the conclusion that it's pointless to use strong crypto, when > really the conclusion one should draw is that one should try to avoid > living in cardboard boxes, where possible. I don't see that, myself. Seems to me to be arguing for a systems view. Melinda From nobody Fri May 16 15:02:47 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC801A0191 for ; Fri, 16 May 2014 15:02:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.251 X-Spam-Level: X-Spam-Status: No, score=-2.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HoKr31ox_EQQ for ; Fri, 16 May 2014 15:02:40 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id D2B581A00E5 for ; Fri, 16 May 2014 15:02:39 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7B62CBEAF; Fri, 16 May 2014 23:02:31 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 40uFn6UHxytk; Fri, 16 May 2014 23:02:29 +0100 (IST) Received: from [10.87.48.12] (unknown [86.45.59.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id B2E35BEAA; Fri, 16 May 2014 23:02:28 +0100 (IST) Message-ID: <53768AF4.2070402@cs.tcd.ie> Date: Fri, 16 May 2014 23:02:28 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Brian E Carpenter , perpass@ietf.org References: <53767549.4090806@gmail.com> In-Reply-To: <53767549.4090806@gmail.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/fOZyay6GlOS1rpnjLcq-ZcpOjoI Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 22:02:43 -0000 Yeah, the NSA-proof thing was overstated, at least as it was taken-up by press. Doesn't mean we don't have work to do though. We do, and its better to focus on that than on any particular term, hyperbolic or not. And things can be done by us, and others, e.g. I was happy to see FB's figures [1] showing 58% of their outbound mail now being encrypted via STARTTLS, which is afaik a significant increase on what'd have been the case a couple of years ago. There's also a significant increase in deployment of PFS ciphersuites in such cases as well when compared to a year or two ago so I'm told. I for one do not believe that that makes no difference to the spooks. Esp if we can get many more deployments doing much more of that and similar. (Hint: if you're an active participant in httpbis - go implement/argue-for/test that opportunistic security alt-svcs thing and try to help do for the web what FB have shown works for MTA-MTA SMTP:-) Which brings it back to our bit of the work - to make it easier for many more deployments to deploy reasonable security (which is not all crypto) where there are protocol barriers getting in their way. It doesn't matter so much how those barriers got there, but its really clear what we need to be doing about any such. Cheers, S. [1] https://www.facebook.com/notes/1453015901605223/ On 16/05/14 21:30, Brian E Carpenter wrote: > I've been waiting for Peter Gutmann's slides to appear on line > since I first saw them some months ago. Well worth studying: > > http://regmedia.co.uk/2014/05/16/0955_peter_gutmann.pdf > > Favourite quotes: "It's probably at least some sort of sign > of the end times when your conference badge has a rootkit." > > "There were so many other ways to render DKIM ineffective > that no-one bothered attacking the crypto." > > News story: > http://www.theregister.co.uk/2014/05/16/kiwi_prof_calls_bunk_on_nsaproof_tech_says_crypto_is_enough/ > > Regards > Brian > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass > From nobody Fri May 16 15:14:05 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5DF1A0172 for ; Fri, 16 May 2014 15:14:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.353 X-Spam-Level: X-Spam-Status: No, score=-2.353 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9YQlPKO_OOPg for ; Fri, 16 May 2014 15:14:01 -0700 (PDT) Received: from es8300.sonicwall.com (es8300.sonicwall.com [IPv6:2620:9f:12:cacb::200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EF941A0152 for ; Fri, 16 May 2014 15:14:00 -0700 (PDT) Received: from es8300.sonicwall.com (127.0.0.1) id heq6q20171s0 for ; Fri, 16 May 2014 15:13:53 -0700 (envelope-from ) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sonicwall.com; s=20131206; h=Received:Received:Message-ID:Date: From:User-Agent:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=ubeTysgjw 2PBBKkpzbnniQf4m9H3koU0au2TIibZUFQ=; b=CIP5X8q5CQu5mqjfjFo0DFzI9 JSMvn0mUABSRkzBrod8vgblJRILa3TxioIDPMbJGCssS6XIKGLTWWqLekiqQveHW i4vQu3UfN2E8UV54yHkR0gKgKMLdwBt9wHxXMrE+MvAw8lzezfcPMc7msAnXv92J Z5Wl+zdGJc8Z0nV9X+CN0DRyVls9zORs7fAXitIaI6XWFO6Jv1VL1rGejgX0Beex CvCBC45E4YzxvIhFtNaZFlJDrvCEOmDda0YqcfFUUa8s3aQT7ZbwYXvfMkgZXexm pBJuxejUBG5M9T8jVdENtpClmLqpbnzNGpcGRLFuK4qML1oJAoLKMVAvyVZAw== Received: from US0EXCHT02.us.sonicwall.com ([10.50.128.134]) by es8300.sonicwall.com (SonicWALL 8.0.0.2099) with ESMTP (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128/128) id 201405162213530006601; Fri, 16 May 2014 15:13:53 -0700 Received: from clavinova.eng.sonicwall.com (10.50.14.40) by US0EXCHT02.us.sonicwall.com (10.50.128.200) with Microsoft SMTP Server id 8.3.327.1; Fri, 16 May 2014 15:13:52 -0700 Message-ID: <53768DA1.3050106@sonicwall.com> Date: Fri, 16 May 2014 15:13:53 -0700 From: "Carl S. Gutekunst" User-Agent: Thunderbird 2.0.0.24 (X11/20100228) MIME-Version: 1.0 To: Ted Lemon References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> In-Reply-To: <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> X-Stationery: 0.5.1 Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit X-Mlf-Version: 8.0.0.2099 X-Mlf-UniqueId: o201405162213530006601 Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/WNYtOL22tT7f3WhGJh1TTguR11c Cc: "perpass@ietf.org" , Melinda Shore Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 22:14:02 -0000 Ted Lemon wrote: >> Using encryption on the Internet is the equivalent of arranging >> an armored car to deliver credit-card information from someone >> living in a cardboard box to someone living on a park bench. >> > > The thing I really hate about these metaphors is that they lead one to the conclusion that it's pointless to use strong crypto, when really the conclusion one should draw is that one should try to avoid living in cardboard boxes, where possible. Spafford's is also a 25-year-old metaphor, which is why someone updated it to "using strong crypto...." Old metaphors, like urban legends, adapt to the times. In the same vein: people complaining that I "locked the front door and left the window open." This is one I confess to using quite a bit. But it does not mean I should unlock the front door. From nobody Fri May 16 16:14:06 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 860631A01AB for ; Fri, 16 May 2014 16:14:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.3 X-Spam-Level: X-Spam-Status: No, score=-0.3 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1DDYaye2c1U for ; Fri, 16 May 2014 16:14:03 -0700 (PDT) Received: from mail-pb0-x22b.google.com (mail-pb0-x22b.google.com [IPv6:2607:f8b0:400e:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9049F1A0126 for ; Fri, 16 May 2014 16:14:03 -0700 (PDT) Received: by mail-pb0-f43.google.com with SMTP id up15so3192435pbc.16 for ; Fri, 16 May 2014 16:13:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=O7+2gn2M7Nh+DuUhn9rD3K0XcJzxD/ulst/5M8BRBzw=; b=A7cL3d8eddsseBLxcupDELXF3kuJSoaHjxWDHQ/DPtJ5xDNyHeaptfbHPCLolqPQPn Kv7ULeIl/6yeNJCRz7JIZkMObEQha6yZAaHRtDgYiiqWvSoMtP6+td2ZKXEtod28tI6H Q2TB3Js5viHWpxNheBqhVuEIH6dMeWXOJmTVlBKNtJfKjlS2tD4TgEmluUO29zA1dv+Z Wc6+2hMIM8tdkIdw60EUP00eaxlD7bSZAxCLv7Jnuc3gkC2RM3agmRGoUreKSGAijTgN JHr8SEzF4EFlTRMHg7THD/XE3H/J20+kF4OZWexob7khAVRlj0zJ1tEYxaIyvz+5tc0h gyJQ== X-Received: by 10.66.179.111 with SMTP id df15mr25066348pac.52.1400282036107; Fri, 16 May 2014 16:13:56 -0700 (PDT) Received: from [192.168.178.20] (99.199.69.111.dynamic.snap.net.nz. [111.69.199.99]) by mx.google.com with ESMTPSA id yw3sm16512165pbc.69.2014.05.16.16.13.53 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 May 2014 16:13:54 -0700 (PDT) Message-ID: <53769BBC.5030406@gmail.com> Date: Sat, 17 May 2014 11:14:04 +1200 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Melinda Shore References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> <53768757.40006@gmail.com> In-Reply-To: <53768757.40006@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/0rbnZlBEoHRDnFhOH338eo2MGPQ Cc: "Carl S. Gutekunst" , "perpass@ietf.org" , Ted Lemon Subject: Re: [perpass] =?utf-8?q?Crypto_Won=E2=80=99t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 May 2014 23:14:04 -0000 On 17/05/2014 09:47, Melinda Shore wrote: > On 5/16/14 1:41 PM, Ted Lemon wrote: >> The thing I really hate about these metaphors is that they lead one >> to the conclusion that it's pointless to use strong crypto, when >> really the conclusion one should draw is that one should try to avoid >> living in cardboard boxes, where possible. > > I don't see that, myself. Seems to me to be arguing for a systems > view. I think that is Peter's point, from hearing his talk live a few months ago. You need crypto, but you also need a very strong cardboard box with no buffer overflows, and without the password being scrawled on the outside. And do not trust passing strangers who offer unexpected gifts. Of course, there is only so much we can do in IETF protocol specifications. Brian From nobody Fri May 16 18:00:29 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 346351A0201 for ; Fri, 16 May 2014 18:00:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.252 X-Spam-Level: X-Spam-Status: No, score=-2.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPQaK92wCJNr for ; Fri, 16 May 2014 18:00:23 -0700 (PDT) Received: from toccata.fugue.com (toccata.fugue.com [204.152.186.142]) by ietfa.amsl.com (Postfix) with ESMTP id E4B911A01F1 for ; Fri, 16 May 2014 18:00:23 -0700 (PDT) Received: from [10.0.10.40] (c-174-62-147-182.hsd1.nh.comcast.net [174.62.147.182]) by toccata.fugue.com (Postfix) with ESMTPSA id BF0542380930; Fri, 16 May 2014 21:00:14 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: Ted Lemon In-Reply-To: <53769BBC.5030406@gmail.com> Date: Fri, 16 May 2014 21:00:11 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <8D2E28E3-CADE-4863-AD05-94AEF73A09A3@fugue.com> References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> <53768757.40006@gmail.com> <53769BBC.5030406@gmail.com> To: Brian E Carpenter X-Mailer: Apple Mail (2.1874) Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/BqC9KN0MMkDpe_kSPb_FpSRmu70 Cc: "Carl S. Gutekunst" , "perpass@ietf.org" , Melinda Shore Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 01:00:26 -0000 On May 16, 2014, at 7:14 PM, Brian E Carpenter = wrote: > I think that is Peter's point, from hearing his talk live a few months > ago. You need crypto, but you also need a very strong cardboard box > with no buffer overflows, and without the password being scrawled > on the outside. And do not trust passing strangers who offer > unexpected gifts. The problem is that the quote is quite memorable, and is repeated out of = context quite frequently. And a person who is not, like us, familiar = with the technology, will hear "there is no real hope, so don't bother" = when what is meant is "make sure you secure the end nodes." From nobody Fri May 16 18:56:57 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF131A024C for ; Fri, 16 May 2014 18:56:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.699 X-Spam-Level: X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mbGyyH548E8W for ; Fri, 16 May 2014 18:56:52 -0700 (PDT) Received: from mail-oa0-x22a.google.com (mail-oa0-x22a.google.com [IPv6:2607:f8b0:4003:c02::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F8821A024F for ; Fri, 16 May 2014 18:56:52 -0700 (PDT) Received: by mail-oa0-f42.google.com with SMTP id j17so3893774oag.15 for ; Fri, 16 May 2014 18:56:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lSAa8BBJTY2HRJZfMV9CdCt1sevsL4RkJn1elHy29pQ=; b=jcu0PlJAgsRUFtj0PQS3s7Sdl1OWY2vIWyVIxIG8VOBfTyrEE2srEGBKKOoIZ+3Tj1 G2kukAyfFsqMI0BoA1saOaLDnf7mcAymsZgJbjKb+N9Ax8aLstXT4VyX/t5Dqxv1jLde kKCQYiAUyBxENP0s6+5eOcRmwevgOi3c11NtRYnSbYSWdL7jgvIOqLsvPYaDLE1dbHVa HXzIb1r5fqjOKzWv3DY9mHTPMd6YZ+3LDZ5aSWuATu5UR87cxyS/yXahiX8w5wPeBY27 cXPUbgz5joEtzMfLUDUxzXPHL7zUKJu+oVH5pENgi2NfcbKwzfNkiS4K6q08IgHOPY0f B18A== MIME-Version: 1.0 X-Received: by 10.183.3.102 with SMTP id bv6mr21251979obd.18.1400291804781; Fri, 16 May 2014 18:56:44 -0700 (PDT) Received: by 10.183.8.7 with HTTP; Fri, 16 May 2014 18:56:44 -0700 (PDT) Received: by 10.183.8.7 with HTTP; Fri, 16 May 2014 18:56:44 -0700 (PDT) In-Reply-To: <53769BBC.5030406@gmail.com> References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> <53768757.40006@gmail.com> <53769BBC.5030406@gmail.com> Date: Fri, 16 May 2014 21:56:44 -0400 Message-ID: From: Scott Brim To: Brian Carpenter Content-Type: multipart/alternative; boundary=001a1134a45c9b247b04f98ed70f Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/hq0infsrNBsULkj10BFQQx_4xwU Cc: "Carl S. Gutekunst" , perpass , Melinda Shore , "Ted.Lemon@nominum.com" Subject: Re: [perpass] =?utf-8?q?Crypto_Won=E2=80=99t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 01:56:55 -0000 --001a1134a45c9b247b04f98ed70f Content-Type: text/plain; charset=UTF-8 On May 16, 2014 7:14 PM, "Brian E Carpenter" wrote: > I think that is Peter's point, from hearing his talk live a few months > ago. You need crypto, but you also need a very strong cardboard box That was my gut reaction. At least we can do really good design, that might make the crypto count for something. --001a1134a45c9b247b04f98ed70f Content-Type: text/html; charset=UTF-8


On May 16, 2014 7:14 PM, "Brian E Carpenter" <brian.e.carpenter@gmail.com> wrote:
> I think that is Peter's point, from hearing his talk live a few months
> ago. You need crypto, but you also need a very strong cardboard box

That was my gut reaction. At least we can do really good design, that might make the crypto count for something.

--001a1134a45c9b247b04f98ed70f-- From nobody Fri May 16 18:59:00 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E0CE1A0252 for ; Fri, 16 May 2014 18:58:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.678 X-Spam-Level: X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ZWe4637YEjm for ; Fri, 16 May 2014 18:58:56 -0700 (PDT) Received: from mail-vc0-f177.google.com (mail-vc0-f177.google.com [209.85.220.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A776E1A024F for ; Fri, 16 May 2014 18:58:56 -0700 (PDT) Received: by mail-vc0-f177.google.com with SMTP id if17so7016751vcb.8 for ; Fri, 16 May 2014 18:58:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=nu2ivl/AzWIHsC9M9SKRtSwzvhwzblOpPXYndUyR/rw=; b=VzfJKLtKkvNRhKiDtq78mV4fbF5RXlab5fRs8q10nQ6UjkF+9yald8H2BsnpIH9rOy 8Fzizdj9WxD7k2GrJoxF7qR9TlVDIkqKbPsve3o7dMir+e1aLiCYTdilFEf2nqQ7Sj+N WTrxwQg38vAzxCbCV/zCOtnLrFWRsLJ7SUI++5IDojmlfzqA2CjHYmioSdOtNX4iKXmZ uPEaiiQIYBYGZOjEIzfaoqy2gORB4/qQu9wNZAf7mIRls5CC8nwxsPjG69vZ3oJoSAaj mJOsCN/dqMbEXN32fA9nxHTb6eKldOnVB00OR03Y0THU7/fewS+C0TdOgAoOKROikStW PFPg== X-Gm-Message-State: ALoCoQnGnYgbjFQp7S3ZnC8EQnHTJCfEe+qWnNNxR63azLK269LupU8CAUbopY4mCgGQ69kx7pzP X-Received: by 10.52.35.173 with SMTP id i13mr46792vdj.66.1400291928524; Fri, 16 May 2014 18:58:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.98.73 with HTTP; Fri, 16 May 2014 18:58:28 -0700 (PDT) X-Originating-IP: [24.84.235.32] In-Reply-To: References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> <53768757.40006@gmail.com> <53769BBC.5030406@gmail.com> From: Tim Bray Date: Fri, 16 May 2014 18:58:28 -0700 Message-ID: To: Scott Brim Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/RpK5LrDdElOotOBthBFQ2QfclMY Cc: "Carl S. Gutekunst" , perpass , Melinda Shore , "Ted.Lemon@nominum.com" Subject: Re: [perpass] =?utf-8?q?Crypto_Won=E2=80=99t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 01:58:58 -0000 Relevant to this: https://encryptallthethings.net// On Fri, May 16, 2014 at 6:56 PM, Scott Brim wrote: > > On May 16, 2014 7:14 PM, "Brian E Carpenter" > wrote: >> I think that is Peter's point, from hearing his talk live a few months >> ago. You need crypto, but you also need a very strong cardboard box > > That was my gut reaction. At least we can do really good design, that mig= ht > make the crypto count for something. > > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass > --=20 - Tim Bray (If you=E2=80=99d like to send me a private message, see https://keybase.io/timbray) From nobody Sat May 17 04:44:50 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2FE51A005A for ; Sat, 17 May 2014 04:44:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.253 X-Spam-Level: X-Spam-Status: No, score=-7.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V8HFWz1jHJc3 for ; Sat, 17 May 2014 04:44:44 -0700 (PDT) Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F1AC1A0054 for ; Sat, 17 May 2014 04:44:44 -0700 (PDT) Received: from men75-11-88-175-104-179.fbx.proxad.net ([88.175.104.179] helo=[192.168.1.48]) by jay.w3.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1Wld2X-0007e6-N3; Sat, 17 May 2014 07:44:33 -0400 Message-ID: <53774B98.40309@w3.org> Date: Sat, 17 May 2014 13:44:24 +0200 From: Harry Halpin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Brian E Carpenter , Melinda Shore References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> <53768757.40006@gmail.com> <53769BBC.5030406@gmail.com> In-Reply-To: <53769BBC.5030406@gmail.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/IH1XOkEUE8hg70nZ2EOH300IOTI Cc: "Carl S. Gutekunst" , "perpass@ietf.org" , Ted Lemon Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 May 2014 11:44:47 -0000 On 05/17/2014 01:14 AM, Brian E Carpenter wrote: > On 17/05/2014 09:47, Melinda Shore wrote: >> On 5/16/14 1:41 PM, Ted Lemon wrote: >>> The thing I really hate about these metaphors is that they lead one >>> to the conclusion that it's pointless to use strong crypto, when >>> really the conclusion one should draw is that one should try to avoid >>> living in cardboard boxes, where possible. >> >> I don't see that, myself. Seems to me to be arguing for a systems >> view. > > I think that is Peter's point, from hearing his talk live a few months > ago. You need crypto, but you also need a very strong cardboard box > with no buffer overflows, and without the password being scrawled > on the outside. And do not trust passing strangers who offer > unexpected gifts. > > Of course, there is only so much we can do in IETF protocol > specifications. Actually, from a systems perspective this is quite a bit one can do in an IETF or W3C specification. For example, data minimization by not leaking identifiers except when necessary. See "hiding metadata" in the STRINT workshop report [1]. The methods of system-thinking in security is still very young, but I'd say the arms race with the NSA is on :) [1] https://tools.ietf.org/html/draft-iab-strint-report-00#page-6 cheers, harry > > Brian > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass > From nobody Mon May 19 13:12:14 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A39DA1A03CA; Mon, 19 May 2014 13:12:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.251 X-Spam-Level: X-Spam-Status: No, score=-4.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HBLJZ4GcqGbJ; Mon, 19 May 2014 13:12:03 -0700 (PDT) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FF881A03BD; Mon, 19 May 2014 13:11:41 -0700 (PDT) Received: from dash.isi.edu (vir.isi.edu [128.9.160.91]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id s4JK9mSd000034; Mon, 19 May 2014 13:09:48 -0700 (PDT) Received: from dash.isi.edu (localhost.isi.edu [127.0.0.1]) by dash.isi.edu (Postfix) with ESMTP id 368B9602EC; Mon, 19 May 2014 13:09:48 -0700 (PDT) To: dnsop@ietf.org, perpass@ietf.org From: John Heidemann X-url: http://www.isi.edu/~johnh/ MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Date: Mon, 19 May 2014 13:09:48 -0700 Message-ID: <1128.1400530188@dash.isi.edu> X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: johnh@isi.edu Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/nU6eLXhFjrsZapaysinzrUxUbgA Subject: Re: [perpass] draft-bortzmeyer-dnsop-dns-privacy (was: [DNSOP] DNS privacy : now at least two drafts) X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 20:12:09 -0000 Folks, I believe consensus was that dnsop needs a problem statement about DNS privacy before we explore possible solutions. Stephane's draft-bortzmeyer-dnsop-dns-privacy seems like a very good start to this problem statement. Are there plans to discuss this draft at IETF90 in Toronto? I sent him some detailed comments out-of-band, but one question for the list: what do we call the parts of the DNS resolver hierarchy? draft-bortzmeyer-dnsop-dns-privacy-02 defines and uses the terms (1) "stub resolver", (2) "resolver" and (3) "name server" and also (2.5) a forwarding DNS resolver/server that is beyond the first-hop recursive resolver/server but not authoritative. for the things that (1) initiates queries, (2) handle recursive resolution, (3) reply with authoritative responses. The short version is: I recommend against use of resolver without an adjective for (2). Prior RFCs do not have consensus about what to use (both recursive resolver and recursive name server appear). Personally I'd go with "recursive resolver". Does the list have other recommendations? The tl;dr version is below: I looked over many (but certainly not all) existing RFCs, and there is some variation in terminology: RFC-1035 (the original DNS spec): (1) stub resolver (2) recursive server (3) no specific term (!)... it does talk about "foreign name servers" and "masters" and "authoritative data", but not authoritative servers RFC-1996 (DNS notify): (1) (not used) (2) (not used) (3) authoritative server RFC-1999 (EDNS): none RFC-3833 (DNS threats) uses (1) stub resolver (2) recursive name server (3) authoritative name servers RFC-4033 and 4035 (DNSsec) use: (1) stub resolver (2) recursive name server (3) authoritative name servers RFC-4871 (DKIM): uses only (2) recursive name server RFC-5966 (DNS over TCP): (1) stub resolver (2) recursive server (or forwarder) (3) authoritative server RFC-6891 (ENDS(0)): (1) stub resolver (2) recursive resolver AND caching resolver (3) authoritative server Back to draft-bortzmeyer-dnsop-dns-privacy My recommendation for terms is: (1) stub resolver (2) recursive resolver (2.5) forwarding resolver OR maybe caching intermediate resolver (3) authoritative nameserver (or authoritative name-server) Based on these observations: - "resolver" without an adjective for (2) risks ambiguity - recursive resolver vs. recursive server for (2) seem to depend on if you're approaching the problem from the end-user or the providers point of view. The challenge is that (2) is both a client AND server, leading to inconsistency. Just a suggestion, -John Heidemann From nobody Mon May 19 21:06:30 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37CFD1A0277; Mon, 19 May 2014 21:06:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.951 X-Spam-Level: X-Spam-Status: No, score=-1.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, RP_MATCHES_RCVD=-0.651] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L2sugvtCTJkb; Mon, 19 May 2014 21:06:25 -0700 (PDT) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B9F51A0236; Mon, 19 May 2014 21:06:25 -0700 (PDT) Received: from mb-aye.local (c-67-188-0-113.hsd1.ca.comcast.net [67.188.0.113]) (authenticated bits=0) by nagasaki.bogus.com (8.14.7/8.14.7) with ESMTP id s4K46DOr088451 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 20 May 2014 04:06:17 GMT (envelope-from joelja@bogus.com) Message-ID: <537AD4AD.9030604@bogus.com> Date: Mon, 19 May 2014 21:06:05 -0700 From: joel jaeggli User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Thunderbird/29.0 MIME-Version: 1.0 To: John Heidemann , dnsop@ietf.org, perpass@ietf.org References: <1128.1400530188@dash.isi.edu> In-Reply-To: <1128.1400530188@dash.isi.edu> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="t6mNgeDBVaHQju50R1WsncuKaBx2F9GPB" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (nagasaki.bogus.com [147.28.0.81]); Tue, 20 May 2014 04:06:23 +0000 (UTC) Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/l3NjJQ4suNo9QMMLsTVtWcHzmvE Subject: Re: [perpass] [DNSOP] draft-bortzmeyer-dnsop-dns-privacy (was: DNS privacy : now at least two drafts) X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2014 04:06:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --t6mNgeDBVaHQju50R1WsncuKaBx2F9GPB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 5/19/14, 1:09 PM, John Heidemann wrote: >=20 > Folks, >=20 > I believe consensus was that dnsop needs a problem statement about DNS > privacy before we explore possible solutions. If I were to speculate on the basis of the dicussion here and in the DNSE bof the solution space involves signficant if maybe not dramatic architecture changes. I would be happy to support exploration of the problem here and documents of an according nature, but I imagine us chartering it as a standalone activity. > Stephane's draft-bortzmeyer-dnsop-dns-privacy seems like a very good st= art > to this problem statement. Are there plans to discuss this draft at > IETF90 in Toronto? >=20 > I sent him some detailed comments out-of-band, but one question for the= > list: what do we call the parts of the DNS resolver hierarchy? >=20 > draft-bortzmeyer-dnsop-dns-privacy-02 defines and uses the terms > (1) "stub resolver", > (2) "resolver" and > (3) "name server" >=20 > and also=20 > (2.5) a forwarding DNS resolver/server that is beyond the first-hop > recursive resolver/server but not authoritative. >=20 >=20 > for the things that > (1) initiates queries,=20 > (2) handle recursive resolution, > (3) reply with authoritative responses. >=20 >=20 > The short version is: >=20 > I recommend against use of resolver without an adjective for (2).=20 >=20 > Prior RFCs do not have consensus about what to use (both recursive reso= lver and > recursive name server appear). Personally I'd go with "recursive > resolver". Does the list have other recommendations? >=20 >=20 >=20 > The tl;dr version is below: >=20 > I looked over many (but certainly not all) existing RFCs, and there is > some variation in terminology: >=20 > RFC-1035 (the original DNS spec): > (1) stub resolver > (2) recursive server > (3) no specific term (!)... it does talk about "foreign name servers" > and "masters" and "authoritative data", but not authoritative servers >=20 > RFC-1996 (DNS notify): > (1) (not used) > (2) (not used) > (3) authoritative server >=20 > RFC-1999 (EDNS): > none >=20 > RFC-3833 (DNS threats) uses > (1) stub resolver > (2) recursive name server > (3) authoritative name servers >=20 > RFC-4033 and 4035 (DNSsec) use: > (1) stub resolver > (2) recursive name server > (3) authoritative name servers >=20 > RFC-4871 (DKIM): > uses only=20 > (2) recursive name server >=20 > RFC-5966 (DNS over TCP): > (1) stub resolver > (2) recursive server (or forwarder) > (3) authoritative server >=20 > RFC-6891 (ENDS(0)): > (1) stub resolver > (2) recursive resolver AND caching resolver > (3) authoritative server >=20 >=20 >=20 >=20 > Back to=20 >=20 > draft-bortzmeyer-dnsop-dns-privacy >=20 > My recommendation for terms is: >=20 > (1) stub resolver > (2) recursive resolver > (2.5) forwarding resolver OR maybe caching intermediate resolver > (3) authoritative nameserver (or authoritative name-server) >=20 > Based on these observations: >=20 > - "resolver" without an adjective for (2) risks ambiguity >=20 > - recursive resolver vs. recursive server for (2) seem to depend on if > you're approaching the problem from the end-user or the providers > point of view. The challenge is that (2) is both a client AND server= , > leading to inconsistency. >=20 > Just a suggestion, > -John Heidemann >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >=20 --t6mNgeDBVaHQju50R1WsncuKaBx2F9GPB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlN61K4ACgkQ8AA1q7Z/VrKqVgCdHKEZ00HE89ylGsSfvGioD7O+ pYQAninI9AmQ6W6OGOzjHVaHZembk55L =DrMg -----END PGP SIGNATURE----- --t6mNgeDBVaHQju50R1WsncuKaBx2F9GPB-- From nobody Tue May 20 07:15:27 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC08B1A0357 for ; Tue, 20 May 2014 07:15:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.552 X-Spam-Level: X-Spam-Status: No, score=-4.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q1MB-qlQlzZC for ; Tue, 20 May 2014 07:15:23 -0700 (PDT) Received: from mail-in2.euro.apple.com (mail-in2.euro.apple.com [17.72.148.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F7601A0232 for ; Tue, 20 May 2014 07:15:22 -0700 (PDT) Received: from relay1.euro.apple.com (relay1.euro.apple.com [17.66.55.11]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail-in2.euro.apple.com (Symantec Mail Security) with SMTP id 38.D9.07653.8736B735; Tue, 20 May 2014 15:15:20 +0100 (BST) X-AuditID: 1148940c-f79876d000001de5-ff-537b6378f684 Received: from crk-mmpp-sz01 (crk-mmpp-sz01.euro.apple.com [17.66.12.154]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay1.euro.apple.com (Symantec Mail Security) with SMTP id 4F.11.07555.8736B735; Tue, 20 May 2014 15:15:20 +0100 (BST) Received: from uklon5-asavpn-l2tp-17-78-213-174.euro.apple.com ([17.78.213.174]) by crk-mmpp-sz01.euro.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0N5V00GBRM9IZF90@crk-mmpp-sz01.euro.apple.com> for perpass@ietf.org; Tue, 20 May 2014 15:15:19 +0100 (IST) Content-type: text/plain; charset=windows-1252 MIME-version: 1.0 (Mac OS X Mail 7.2 \(1874\)) From: David Singer In-reply-to: <8D2E28E3-CADE-4863-AD05-94AEF73A09A3@fugue.com> Date: Tue, 20 May 2014 16:14:59 +0200 Content-transfer-encoding: quoted-printable Message-id: <88B89BC7-2E87-46CD-A5C2-8CEE7356231E@apple.com> References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> <53768757.40006@gmail.com> <53769BBC.5030406@gmail.com> <8D2E28E3-CADE-4863-AD05-94AEF73A09A3@fugue.com> To: Ted Lemon X-Mailer: Apple Mail (2.1874) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrALMWRmVeSWpSXmKPExsUi6GTOrVuRXB1s0HmI2+LupQ4WB0aPJUt+ MgUwRnHZpKTmZJalFunbJXBlbFk3n6ngBEfFxS/5DYyP2LoYOTkkBEwkvmy6BWWLSVy4tx7I 5uIQEljGJLF++z4WmKItB6+yQCQWMkm8WfSZCcI5xCTx4Oln9i5GDg5mAT2J+xe1QBp4gcwz Z3+BhYUFUiT2fGIFCbMJqEo8mHOMEcTmFLCVWLTuIBtICQtQfNsiJZCJzALbGSWOzzkCdhCz gLbEk3cXWCFG2khs33+CGWJtG5PE5w2P2EESIgIKEnPPrGGCOFRW4tGHJrBDJQS+sko8aP3C OoFReBbCebOQnDcLyY4FjMyrGMVzEzNzdDPzjPRSS4vy9RILCnJS9ZLzczcxgsLZYwrPDsaL Bw0PMQpwMCrx8B6Xrw4WYk0sK67MPcQowcGsJMJrHwwU4k1JrKxKLcqPLyrNSS0+xCjNwaIk znvmgluwkEB6YklqdmpqQWoRTJaJg1OqgbFinb2+I8Oc7qIFrQ2pPQ8kEzfkfl0qwDZ50TOb 7+zpRgWGApG1gtmpc/YWW7EtvpT+8qf8hD07WQuVduh37d2g8PTbnuNl+yW5eTMZ5y23XZ59 ySPviIOzm2fJAok7uZ71R5fdFLpyXZzVqzTXjE9p69HnwXGHbZ9rNTssT1NQfu38bs41TiWW 4oxEQy3mouJEAO5E0kVjAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBLMWRmVeSWpSXmKPExsUi6MQzS7ciuTrY4OZXNou7lzpYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVsWXdfKaCExwVF7/kNzA+Yuti5OSQEDCR2HLwKguELSZx4d56 oDgXh5DAQiaJN4s+M0E4h5gkHjz9zN7FyMHBLKAncf+iFkgDL5B55uwvsLCwQIrEnk+sIGE2 AVWJB3OOMYLYnAK2EovWHWQDKWEBim9bpAQykVlgO6PE8TlHwG5gFtCWePLuAivESBuJ7ftP MEOsbWOS+LzhETtIQkRAQWLumTVMEIfKSjz60MQygVFgFsJFs5BcNAvJ2AWMzKsYRYtScxIr DfVSS4vy9RILCnJS9ZLzczcxgsPPnHsH4/HdhocYBTgYlXh4n8hVBwuxJpYVV+YeYpTgYFYS 4bUPBgrxpiRWVqUW5ccXleakFh9ilOZgURLn3bLbMFhIID2xJDU7NbUgtQgmy8TBKdXAGOuh tWkp9yGWFXOcpv9q8ZjhfnzCKXOe+IC8Td8WxR06NMNFwbfoeu3NKBUe9ZDN9kVL3q19eDal VvL9Wgb11u/vcsRmscUaPv6zZP2Ti2LZ6ZEaDEdtz1keSl7CvH7rb1ZxU//bM/9P+pvb38fe z7Wsu3hRbZumY9ocjk49yzWP845NDV3hrsRSnJFoqMVcVJwIAO8G38s7AgAA Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/jOuuofo8Qbex2AdjuvZ1qa72KFA Cc: "Carl S. Gutekunst" , "perpass@ietf.org" , Melinda Shore Subject: Re: [perpass] =?windows-1252?q?Crypto_Won=92t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2014 14:15:24 -0000 On May 17, 2014, at 3:00 , Ted Lemon wrote: > On May 16, 2014, at 7:14 PM, Brian E Carpenter = wrote: >> I think that is Peter's point, from hearing his talk live a few = months >> ago. You need crypto, but you also need a very strong cardboard box >> with no buffer overflows, and without the password being scrawled >> on the outside. And do not trust passing strangers who offer >> unexpected gifts. >=20 > The problem is that the quote is quite memorable, and is repeated out = of context quite frequently. And a person who is not, like us, = familiar with the technology, will hear "there is no real hope, so don't = bother" when what is meant is "make sure you secure the end nodes.=94 Even were the quote simply true, it may be a non-sequitur. Front door = locks get broken sometimes, safes get cracked, padlocks get sawn off, = and so on. Even if a technique is not 100% effective, that doesn=92t = make it useless.=20 Dave Singer singer@mac.com David Singer Manager, Software Standards, Apple Inc. From nobody Wed May 21 14:08:00 2014 Return-Path: X-Original-To: perpass@ietfa.amsl.com Delivered-To: perpass@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 886DE1A076B for ; Wed, 21 May 2014 14:07:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.602 X-Spam-Level: X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89yTkG1C8psH for ; Wed, 21 May 2014 14:07:47 -0700 (PDT) Received: from mail.maclaboratory.net (mail.maclaboratory.net [209.190.215.232]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDA611A0394 for ; Wed, 21 May 2014 14:07:46 -0700 (PDT) X-Footer: Y2R0Lm9yZw== Received: from hypochilid-2.local ([199.119.118.21]) (authenticated user jhall@cdt.org) by mail.maclaboratory.net (using TLSv1 with cipher DHE-RSA-AES128-SHA (128 bits)) for perpass@ietf.org; Wed, 21 May 2014 17:07:43 -0400 Message-ID: <537D159E.6050601@cdt.org> Date: Wed, 21 May 2014 17:07:42 -0400 From: Joseph Lorenzo Hall User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: perpass@ietf.org References: <53767549.4090806@gmail.com> <537677FC.1050301@gmail.com> <53767A9B.6050309@sonicwall.com> <2A2A6FA7-09DC-4914-8ED4-13E8D8DA4BAA@fugue.com> <53768757.40006@gmail.com> <53769BBC.5030406@gmail.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/GSvuIqN8eZh4g-00ZI0HcGEpotI Subject: Re: [perpass] =?utf-8?q?Crypto_Won=E2=80=99t_Save_You_Either?= X-BeenThere: perpass@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2014 21:07:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 5/16/14, 9:58 PM, Tim Bray wrote: > Relevant to this: https://encryptallthethings.net// +1 You'll see us (CDT) and many others have signed on to this campaign from Access and will attempt to do all the things here by the end of the year (PFS, HSTS, etc.). Part of the impetus here is that legal reform is slow and wildly unpredictable, beefing up standards is a bit faster (not much!) and often has other competing interests... so, how can we get folks that make apps, run servers, etc. to turn on and properly configure technical bits that provide a higher degree of security and privacy. There is also: https://www.resetthenet.org/ Which is a broader effort -- centered around the anniversary of the first Snowden revelation -- to get everyone (even the general public!) to commit to using a new security and/or privacy technology. best, Joe - -- Joseph Lorenzo Hall Chief Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 joe@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTfRWdAAoJEF+GaYdAqahxlGgQAJgi+MOqHZ+njwfjp/kDH0w/ T7SXJ288uiB2LXEL2wWGZXxGTK/R1bq757NQPilkR/Zgxh02Kd+lkUPzp145w49t SySv5cyYlPwf4GEZ2uP337jTYKC0x4Mi6vhLegOLOmb5nfzRMm/mdbzDhPC02N8q QJ0Cdok8AEAc/Txo7W687VoplSBRC+tSKtZ3oJ7eSJubef7G+Ol3LG5GCQqRyQTU V8V3zSq8142Q94cLAAH0Y41Rzh+ANxdV9Orsbk45pKayP3vetvupvLIw5WqHJqbF vZZJGff1ExP3ZBXCXLA7BN3ondDDmg+UnLRSPDbOIuBzkFBYphqkjBk3VYoUW3pp RbBu1gI+NqLQzLfYTt7ap9P6hw+m8wVePgWojA4gwFOSiRfYVTkYCRo/Ue/N9e3u 5SUw0KS6t+eSe3rCEp9n2QGWZk43ooUd32Az94MjucMJU7GWwpnV4AewWPIfm3eH DGkaVyBScJXSyAjnua0Mp1O5HCQCxgCK4e2JVv4Yvbxet15bC5mbfMOiTOQ9UhaX vFN96Aa9sAlWPZ/Gp1nX/ltLMOngzpFzkYctqStgr0J0Z42XS6nu16WGNZI4TvxI FWLcg1+UTlIxO1GWSVTl+VYe6wWOMtoSEpgAKCFa4gZIvCBKqdPOycv/UVc/XxSk VDkH2I0fcMSxNK1+OUrK =UDDt -----END PGP SIGNATURE-----