Jon,
Would you agree though Steve that wearing seat belts is our best
current practice for safety, and that we (if we imagine ourselves car
designers) should explain to people how unsafe the roads are and that
they really should wear seat belts? Not everyone who builds cars might
feel like they need to take responsibility for explaining this, of
course, but some will.
Taking this analogy too far ...
Yes, I'd support a BCP that calls for wearing seat belts. I would object
to a standard
for cars that prevents them from starting unless the driver and
passenger seat belts
are fastened, and prevents them from being unbuckled until the car is
shifted into "park."
I don't want us to throw up our hands and say there's nothing to be
done to improve the situation because users don't understand security
and some deployments would resist it. Here in the IETF, our
responsibilities as participants differ from those of users and even
operators. We write standards. I think we need to write standards that
are clear about what people should do to be secure on the Internet as
we understand it.
There certainly are things that can be done to improve security, in
terms of our standards. We
should explain to people what that MAY do (not MUST or SHOULD) to be
more secure. We're neither
Internet police nor Internet nannies.
Our understanding of the Internet has changed because of these
revelations, and what we need to do has to change as well. I agree
that we can't levy unrealistic mandates and hope for anything but our
own irrelevance. But let's not swing too far in the opposite direction
here either.
Competent security folks were not surprised by the technical
capabilities that have been revealed.
It's obvious that one can gain access to tons of metadata with the
assistance of service providers,
and that a first world country can (and would) analyze that data looking
for bad guys.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
