-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hiya, On 10/16/2013 08:47 PM, Nicholas Weaver wrote: > > We need universal protection against active adversaries, because > the precedents have been set and the distinction between passive > and active really is the willingness of the adversary to include > active techniques. We need end-to-end data integrity on all > communication and if you have end-to-end integrity, anything > point-to-point rather than broadcast should also include > confidentiality since you can just about get it for free by this > point. While I sympathise with more protection and with moves towards more-than-MTI, and I fully agree with you about LAN traffic, I think also requiring e2e mutual auth (which I think is implied in the above) would be counterproductive. The problem is that that introduces a management problem into every scenario and that management overhead is I think is (today) the main reason why the most of the MTI security features we define don't get traction until the exploits experienced by users/networks become intolerable. I think the path forward is more like making opportunistic security mechanisms (in particular confidentiality) more-than-MTI in a way that builds in some security (against passive attacks) as an inherent feature of new protocols, but also results in a far easier transition from there to fully authenticated, compared to the massive gap between cleartext and fully authenticated. S. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSXvXMAAoJEC88hzaAX42iRasIAKCb5fYaOPKttao3+KYEXnrb cxZ4+/uw9YSc7VDnuWrd3HgD/+2czeZGJB5mqKUCcFsNfX1yjdwD471l7ugIeAlO BNH61PbB5UVrxMxXBV4E016lFSgf0A/TFYMb6C0afBE7mGBI5z+2mro4fTPfUwji NMQ98SUfMzYG7rBie4gyFBnKU5WiFnqLihy+QkFbHwc9aJMfFZWImnf5baWouoNN jMshAZyaPiyYuT/Vsgj5E2mGmWkqKLkQ+q8qdrbg+AJC52qjd7+p96A/LTq46IQk 2SPocGdQYZaohHHPYWzzHcGNGIfznG9Ibn0nbyelXP3U6k5LAz74vnT8DsmZG4Y= =/l+A -----END PGP SIGNATURE----- _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
