Brian, The issue is not if to have or not to have security. It is what level of security is satisfactory and there is no one solution fits all, note also that the p2psip solution should also make it easier to nodes to serve as peers by not putting too much burden on them. Deployment of security is motivated by requirements of the specific deployment and not because of the standard, what will happen is that you will see no compliance in cases where p2p solution will be deployed but would prefer different security mechanism. We also need to see that there may be other p2p overlays and joining policies as well as other usages which may have different security requirements. I think that the p2prg draft that outline the security option as well as having a security analysis for p2psip will be enough. My thought was that specifying TLS/DTLS was to address interoperability but this can be done by mandating implementation and not usage.
Roni Even > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Brian Rosen > Sent: Friday, December 11, 2009 8:17 PM > To: Michael Chen; P2PSIP WG > Subject: Re: [P2PSIP] Concerns, questions and nits about base -06 as > part of the WGLC > > <as individual> > I disagree. > > The problem is that we have a whole lot of history and experience. > > The experience is that if we don't insist, and make security integral > to the > protocol, it doesn't get implemented and we have a majority of insecure > systems. > > If we do insist, the cost of the security is reasonable: the dire > predictions that it's too costly, too hard, ... don't happen. > > No amount of text explaining when the security mechanism is or isn't > appropriate works. You have to make the mechanism integral to the > operation > of the protocol, as we have done here. > > I don't see anything in p2psip which would be different then our > history and > experience. The costs aren't as bad as you fear. The probability of > nearly > every system being implemented insecurely is very high if you make it > optional. > > Don't do that. > > Brian > > > On 12/11/09 12:49 PM, "Michael Chen" <[email protected]> wrote: > > > I too agree with the three of you. D/TLS should be optional. Several > of my > > previous post voice concerns about redundancy and efficiency of the > transport > > layer. > > > > --Michael > >> -------- Original Message -------- > >> Subject: Re: [P2PSIP] Concerns, questions and nits about base -06 as > >> part of the WGLC > >> From: jc <[email protected]> > >> Date: Fri, December 11, 2009 7:26 am > >> To: Ari Keranen <[email protected]> > >> Cc: P2PSIP WG <[email protected]> > >> > >> I said this about 7 months ago and I still agree that there should > be > >> no mandatory transport layer encryption as this should be provided > >> outside of the scope of this draft. > >> > >> Julian > >> > >> Sent from my iPhone > >> > >> On Dec 11, 2009, at 5:39 AM, Ari Keranen > <[email protected]> > >> wrote: > >> > >>> Hi, > >>> > >>> David A. Bryan wrote: > >>>> Concern 1: Mandatory TLS/DTLS Inappropriate in some Contexts > >>>> I¹ve raised this issue before, but I¹m hoping that now that > >>>> people have had a bit more time to think about all the use cases, > >>>> see what it means in the real world, etc., there might be a bit mo > >>>> re support for modifying the requirement for TLS/DTLS. TLS/DTLS ma > >>>> kes sense in some cases, but if we are expecting RELOAD to be reus > >>>> able, it is clear to me that it does not make sense in all cases. > >>>> It was familiar > >>>> to the editors, and well understood, so it made sense as a > proposal, > >>>> but I disagree with it being the mandatory/only solution. > >>> > >>> I fully agree with David that making (D)TLS mandatory is not a good > >>> idea, especially concerning re-usability of the protocol in > scenarios > >>> where you already have similar security features provided by the > >>> underlying system. > >>> > >>> > >>> Cheers, > >>> Ari > >>> _______________________________________________ > >>> P2PSIP mailing list > >>> [email protected] > >>> https://www.ietf.org/mailman/listinfo/p2psip > >> _______________________________________________ > >> P2PSIP mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/p2psip > > > > > > _______________________________________________ > > P2PSIP mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/p2psip > > > _______________________________________________ > P2PSIP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/p2psip _______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
