On 10.09.2013 22:00, Scott Brim wrote:
On Tue, Sep 10, 2013 at 2:46 PM, Hannes Tschofenig
<[email protected]> wrote:
One approach to focus the discussion is to limit it to what the IETF can do.
Sounds good.
Within that category one could also focus on specific applications to make
it (a) down-to-earth and (b) have a bit time for preparation.
Want to start with the drafts recently discussed here?
Do you think that the drafts need some face-to-face discussion time? We
should be able to finalize them before the IETF meeting.
draft-sheffer-tls-bcp-00.txt lists well-known attacks and makes
reasonable suggestions. Of course there is always room for improvement
in the write-up.
draft-trammell-perpass-ppa-00.txt introduces the terminology for a new
adversary model and that looks good to me.
draft-saintandre-xmpp-tls-00.txt is a bit related to Yaron's document
but also makes sense. Maybe there is room for alignment with
draft-sheffer-tls-bcp-00.txt.
I personally believe that the difficult aspects are elsewhere, namely
* mandating an secure protocol design only (e.g. HTTP 2.0 with TLS-on
always)
* choice of trust models (think about ZRTP vs. DTLS-SRTP; PGP vs. S/MIME)
* limiting ourselves to fewer choices (unlike in the SIP world where
we have documents like
http://tools.ietf.org/html/draft-ietf-avt-srtp-not-mandatory-13)
* avoiding standardization of security solutions that are designed to
support lawful intercept.
Ciao
Hannes
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
