[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bruce Schneier on IPsec
On Wed, 19 Jan 2000, Henry Spencer wrote:
> > Especially considering that a lot of what they point out has already been
> > discussed, and, in some cases, rejected. Not many of the points made are, in
> > fact new, or unknown to the working group.
>
> And where, exactly, are these written up in a form intelligible to non-WG
> observers? In a fairly strong sense, it does not *MATTER* whether the WG
> has discussed them, if that discussion, its reasoning, and its conclusions
> are not openly and readably documented. For some protocols, a "trust us,
> this is right" approach is at least defensible; for security protocols, it
> isn't.
>
Each working group is *required* to archive its mailing list. Granted it's a
lot of data to wade through, but it's there, and can be found (if you really
put your mind to it, download the entire archive, and run it through
something like verity or something for nice search-tools). Meeting notes are
sent to this list as well.
The current place of the list is at www.vpnc.org.
> > And it is my humble opinion, that the authors don't fully understand the
> > protocol, nor indeed some of the special challenges of networking...
>
> I wouldn't be surprised; in fact, the authors admit as much in some
> places. But whose fault is that? The IPSEC spec is better than it used
> to be, but it's still pretty bad. Most notably, as F&S observe, it is
> glaringly deficient precisely in explaining *why* it does things the way
> it does. Again, this is a situation which might be tolerable in some
> contexts but is unacceptable in the Internet's central security protocol.
>
The point about documentation is well taken. I never claimed the opposite.
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: