[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) Re: The besty

>>> I see no consensus that you keep saying with phrases like "I suspect
>>> that others feel the same way".  I do see one hand clapping.
>>OK, Jim, here's agreement with Perry.  I feel the same way.  I didn't
>>realise that any more than one person needed to say it.

>	Ditto. I suppose I'll stand and be counted, too.

>	BTW - unless I'm mistaken, Perry's main topic-of-rant was
>the notion of using exportable crypto instead of something like
>DES. Crypto policy being what it is, *ANY* encryption support for
>IP that is worth having will not be exportable. We need to accept
>that, and publish a relevant standard so that independent non-US
>iplementations can be developed without having to export code.

I think your mistaken.  The issue of exportable crypto has reached
closure, your screwed everywhere and it all has restrictions. This is
done, finished, and freakin figured out a day ago.  I think we do have
consensus on this that we are all screwed.

The open issue, and unfortuneately we have some strong personalities who
cannot agree (me included), is that the IPv6 security spec should remove the
words that are negative towards in-band key management.  This is the top
issue at this point where we are bumping heads.

>[PS - Jim, if you're truly approaching this from the perspective
>of a vendor, why wait for the ossified standards process to complete
>its interminable gyrations? The only way to make things work is
>to ignore the standards community until it catches up, and make
>sure your products can be easily cut over to standards track IF
>and WHEN a relevant standard arises. Sign me "standards cynic"]

I am here as an individual paid for by my company who is a vendor. Who
only asks me that while I am here to make sure I and others can
acutually implement the standards.  I never speak for my company and I
don't think others do either.  In fact Ran's draft at the bottom has a
complete disclosure that NRL is not responsible for that draft.  Lots of
us do this and I put a lot of my own personal time into the IETF too,
trust me as even the ones I am disagreeing with presently do to.  I think 
its a sick kind of challenge maybe.

But assuming I agreed with your comment.  I would want to have my
customers read Ran's draft and not see that in-band security is bad or
to use Dan Nessetts paradigm of wearing Scuba Gear to the grocery store
is something all my customers should do.  I would like to maybe build a
product that does not have perfect forwarding security, which is only
necessary for the most in-secure environments and people.  

The other issue thats at hand is the IETF in their infinite wisdom has
decided to make implementing security in a vendors host kernel MANDATORY even
if customers (read the market) don't want to use it.  Sounds like
regulation to me.  I am for less standards (no regulation) and more options 
that use the word MAY unless its an absolute core interoperability requirement 
like the network layer protocol or how one discovers other nodes on a
network.  I do not consider security to be in this category at all.

So your preaching to the choir except vendors are required to implement
standards or they cannot compete in the Open Systems Market.  I would
like to see a security standard (if we really must have one) that lets
the market decide how to implement the key management for security.

Now I do listen and can be influenced.  For example I was going to
object to Ran's draft because he did not mention key management in
depth.  Now I will accept this as proposed if he will leave ALL key
management OPEN as an option.  So if I wanted to be a capitalist die
hard I could actually do what you have suggested and build and then push
type security.

I think this all stems from a need to be safe which IMHO is impossible
and a dumb way to exist.  But I understand it as its natural for most. So
lets build a core thought police interface for the Internet.  But let
the market hire the enforcers not the IETF network layer security 
standard, we can search the market and then standardize later on what
enforcers for key management we need.  Or as you suggest let the market
put enforcers on top of the IPv6 security spec and if everyone uses it
like NFS, DECnet, SNA, or UNIX then it will just become defacto.  No
Scuba Gear everywhere please.  I don't like the color choices for the
gear anyway because sharks think your a seal and eat you.