Hi Jeffery,

On 8/09/13 02:52 AM, Jeffrey I. Schiller wrote:

The IETF was (and probably still is) a bunch of hard working
individuals who strive to create useful technology for the

Granted! I do not want to say that the IETF people are in a conspiracy with someone or each other, or that they are not hard workers [0].

But, I do want to say that, when it comes to security, we now have enough history and experience to suggest:

    the committee may be part of the problem [1],


    it is not clear that it can ever be part of the solution.

Insultingly; those who've spent a decade or so devoting themselves to this process will not take to that notion kindly. It's sad and frustrating -- I also spent a lot of time & money pushing OpenPGP code -- but that does not change the basic economic data we have in front of us. In the 1990s we had little or no real data about Internet security. Now we're 20 years on. We have real data.

In particular IETF contributors are in theory individual
contributors and not representatives of their employers. Of course
this is the theory and practice is a bit “noisier”

The notion that employees are there as individuals is noble but unrealistic, naive. That's to ignore business and politics, h/t to John Young.

Individuals without funded interests are rare, and tend to only be around for brief periods [2]. It is the case that the IETF has done better than other industry groups by insisting on open access and rough consensus [3].

But the IETF has done nothing to change the laws of economics: Being on a committee costs a huge amount of time. Only corporates who are engaged in making money off of the results can typically re-invest that money, and only individuals committed to working *that job* from corporates would spend that time on their own dime.

So, naturally, the corporates dominate the committees. To argue anything else is to argue against economics, perhaps the strongest force in human nature.

but the bulk of
participant I worked with were honest hard working individuals.

There's nothing dishonest or lazy about defending ones job.

Security fails on the Internet for three important reasons, that have
nothing to do with the IETF or the technology per-se (except for point

  1.  There is little market for “the good stuff”. When people see that
      they have to provide a password to login, they figure they are
      safe... In general the consuming public cannot tell the
      difference between “good stuff” and snake oil. So when presented
      with a $100 “good” solution or a $10 bunch of snake oil, guess
      what gets bought.

Although it is nicely logical and oft received wisdom, this is not historically supported. Skype, SSH, Bitcoin, OTR, iMessage are successful security products.

There is clearly a market for "good stuff" but we the engineers don't see how to get there, and corporates don't either. Putting us in a committee doesn't improve that, and probably makes it worse.

  2.  Security is *hard*, it is a negative deliverable. You do not know
      when you have it, you only know when you have lost it (via

2. counter-points in abundance: transaction databases, protocols, monies, browsers, webservers, file sharing, p2p chats, office, languages, registries, source control, kernels, etc. These are all hard. We have a long list of projects and systems where we (the non-committee'd internet) have produced very difficult things.

      It is therefore hard to show return on investment
      with security. It is hard to assign a value to something not


a. it is hard to show quality at any points behind the screen. The only things that are easy to show are pretty widgets on screens. Everything else is hard.

b. I often show ROI models as to why security saves money. (The model derives from support costs, if anyone doubts this. Also, see Lynn Wheeler's discussion of credit card fees for the basic economics.)

Which is to say, the problems the net face in security are somewhat distinct from them being just hard & hard to show; correlation maybe but causality?

  2a. Most people don’t really care until they have been personally
      bitten. A lot of people only purchase a burglar alarm after they
      have been burglarized. Although people are more security aware
      today, that is a relatively recent development.

2a., I agree!  I now feel bitten by Skype, and damn them to hell!

  3.  As engineers we have totally and completely failed to deliver
      products that people can use.

Right. (It is a slow-moving nightmare moving all our people to OTR, which is dominated at the usability level by Skype.)

      I point out e-mail encryption as a
      key example. With today’s solutions you need to understand PK and
      PKI at some level in order to use it. That is likely requiring a
      driver to understand the internal combustion engine before they
      can drive their car. The real world doesn’t work that way.

Right. And the reasons for that failure are well understood, in multiple parts: a. economics, b. architecture, and c. committees & standards [4].

Meanwhile, there have been several *successful* deliveries of secure person to person communications where they have challenged those assumptions.

No government conspiracy required.

Absolutely! Required, no. But if there is interest in this direction, we made it too easy:


We have seen the enemy and it is...


and in committee, MORE OF US.  In caps, pun not intended :)

The real question is, for me, is whether we are less our own enemy apart, and more our own enemy when we get together?

Which all is not to say that the IETF people are bad, or easier to trick than other engineers, or dishonest or not hard working. These complaints are strawmen.

It is to say that the IETF's long-chosen model of committees does have unforeseen consequences.

These consequences have been historically shown to correlate against security. Perhaps only security, perhaps mildly, but the point is that there is precious little evidence that they have improved security.

So maybe all we want to say is that it is time for the IETF engineers to look at the numbers, and maybe be skeptical about whether the approach is generating security for the end users?


[0] I was there in one of the committees for a decade or so (my company could only afford one, the OpenPGP one). It was hard work, and this was an easy committee, with no real competition... I never saw anyone being dishonest. People worked hard.

[1] In the PGP case, I think it would, in the end, have been far better if Jon had just written the whole thing himself and published it as an informational draft. We would have saved 9 of 10 years; time that could have been spent on better UI integration.

[2] perhaps because their personal interests take them elsewhere on a learning path, they hop in to learn, then hop off.

[3] consider the disastrous counterpoint of CABForum, the committee for the security of the PKI revenue stream.

[4] a. the economics trap of "free" and "open to access." If e.g., either of these things didn't exist, spam wouldn't exist. b. Email architecture is impractical to secure. It's in the "too hard" basket, IMHO. Too much metadata, too broad a standards approach over too many systems. c. S/MIME was a product of standards committee, and the result is perhaps the best example of how not to do things. The major email vendors all purchased the standards committee approach, again a reflection of established and mandated barriers to entry. (Meanwhile, no major vendors signed up for OpenPGP, which at least was free to enter.)

The cryptography mailing list

Reply via email to