Hi Jeffery,
On 8/09/13 02:52 AM, Jeffrey I. Schiller wrote:
The IETF was (and probably still is) a bunch of hard working
individuals who strive to create useful technology for the
Internet.
Granted! I do not want to say that the IETF people are in a conspiracy
with someone or each other, or that they are not hard workers [0].
But, I do want to say that, when it comes to security, we now have
enough history and experience to suggest:
the committee may be part of the problem [1],
*and*
it is not clear that it can ever be part of the solution.
Insultingly; those who've spent a decade or so devoting themselves to
this process will not take to that notion kindly. It's sad and
frustrating -- I also spent a lot of time & money pushing OpenPGP code
-- but that does not change the basic economic data we have in front of
us. In the 1990s we had little or no real data about Internet security.
Now we're 20 years on. We have real data.
In particular IETF contributors are in theory individual
contributors and not representatives of their employers. Of course
this is the theory and practice is a bit “noisier”
The notion that employees are there as individuals is noble but
unrealistic, naive. That's to ignore business and politics, h/t to John
Young.
Individuals without funded interests are rare, and tend to only be
around for brief periods [2]. It is the case that the IETF has done
better than other industry groups by insisting on open access and rough
consensus [3].
But the IETF has done nothing to change the laws of economics: Being on
a committee costs a huge amount of time. Only corporates who are
engaged in making money off of the results can typically re-invest that
money, and only individuals committed to working *that job* from
corporates would spend that time on their own dime.
So, naturally, the corporates dominate the committees. To argue
anything else is to argue against economics, perhaps the strongest force
in human nature.
but the bulk of
participant I worked with were honest hard working individuals.
There's nothing dishonest or lazy about defending ones job.
Security fails on the Internet for three important reasons, that have
nothing to do with the IETF or the technology per-se (except for point
3).
1. There is little market for “the good stuff”. When people see that
they have to provide a password to login, they figure they are
safe... In general the consuming public cannot tell the
difference between “good stuff” and snake oil. So when presented
with a $100 “good” solution or a $10 bunch of snake oil, guess
what gets bought.
Although it is nicely logical and oft received wisdom, this is not
historically supported. Skype, SSH, Bitcoin, OTR, iMessage are
successful security products.
There is clearly a market for "good stuff" but we the engineers don't
see how to get there, and corporates don't either. Putting us in a
committee doesn't improve that, and probably makes it worse.
2. Security is *hard*, it is a negative deliverable. You do not know
when you have it, you only know when you have lost it (via
compromise).
2. counter-points in abundance: transaction databases, protocols,
monies, browsers, webservers, file sharing, p2p chats, office,
languages, registries, source control, kernels, etc. These are all
hard. We have a long list of projects and systems where we (the
non-committee'd internet) have produced very difficult things.
It is therefore hard to show return on investment
with security. It is hard to assign a value to something not
happening.
ROI:
a. it is hard to show quality at any points behind the screen. The only
things that are easy to show are pretty widgets on screens. Everything
else is hard.
b. I often show ROI models as to why security saves money. (The model
derives from support costs, if anyone doubts this. Also, see Lynn
Wheeler's discussion of credit card fees for the basic economics.)
Which is to say, the problems the net face in security are somewhat
distinct from them being just hard & hard to show; correlation maybe
but causality?
2a. Most people don’t really care until they have been personally
bitten. A lot of people only purchase a burglar alarm after they
have been burglarized. Although people are more security aware
today, that is a relatively recent development.
2a., I agree! I now feel bitten by Skype, and damn them to hell!
3. As engineers we have totally and completely failed to deliver
products that people can use.
Right. (It is a slow-moving nightmare moving all our people to OTR,
which is dominated at the usability level by Skype.)
I point out e-mail encryption as a
key example. With today’s solutions you need to understand PK and
PKI at some level in order to use it. That is likely requiring a
driver to understand the internal combustion engine before they
can drive their car. The real world doesn’t work that way.
Right. And the reasons for that failure are well understood, in
multiple parts: a. economics, b. architecture, and c. committees &
standards [4].
Meanwhile, there have been several *successful* deliveries of secure
person to person communications where they have challenged those
assumptions.
No government conspiracy required.
Absolutely! Required, no. But if there is interest in this direction,
we made it too easy:
http://svn.cacert.org/CAcert/CAcert_Inc/Board/oss/oss_sabotage.html
We have seen the enemy and it is...
us,
and in committee, MORE OF US. In caps, pun not intended :)
The real question is, for me, is whether we are less our own enemy
apart, and more our own enemy when we get together?
Which all is not to say that the IETF people are bad, or easier to trick
than other engineers, or dishonest or not hard working. These
complaints are strawmen.
It is to say that the IETF's long-chosen model of committees does have
unforeseen consequences.
These consequences have been historically shown to correlate against
security. Perhaps only security, perhaps mildly, but the point is that
there is precious little evidence that they have improved security.
So maybe all we want to say is that it is time for the IETF engineers to
look at the numbers, and maybe be skeptical about whether the approach
is generating security for the end users?
iang
[0] I was there in one of the committees for a decade or so (my company
could only afford one, the OpenPGP one). It was hard work, and this was
an easy committee, with no real competition... I never saw anyone being
dishonest. People worked hard.
[1] In the PGP case, I think it would, in the end, have been far better
if Jon had just written the whole thing himself and published it as an
informational draft. We would have saved 9 of 10 years; time that
could have been spent on better UI integration.
[2] perhaps because their personal interests take them elsewhere on a
learning path, they hop in to learn, then hop off.
[3] consider the disastrous counterpoint of CABForum, the committee for
the security of the PKI revenue stream.
[4] a. the economics trap of "free" and "open to access." If e.g.,
either of these things didn't exist, spam wouldn't exist.
b. Email architecture is impractical to secure. It's in the "too hard"
basket, IMHO. Too much metadata, too broad a standards approach over
too many systems.
c. S/MIME was a product of standards committee, and the result is
perhaps the best example of how not to do things. The major email
vendors all purchased the standards committee approach, again a
reflection of established and mandated barriers to entry. (Meanwhile,
no major vendors signed up for OpenPGP, which at least was free to enter.)
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
