People seem to have missed my actual points which were that 1) We have to accept the fact that people are going to be suspicious of standards proposals and make sure that 'trust us' is not baked in. That includes specs that assume one of the i-* entities is going to be trustworthy in perpetuity.
2) People who take offense at the fact that they are under suspicion are now in the wrong business. Being in the CA business I have always had to justify the trust vested in my employer as a trusted third party, anyone who takes offense when being asked why they should be considered trustworthy should not be in the trusted third party business. 3) Yes it sucks, blame those idiot colonels whose crappy tradecraft led them to write hundreds of powerpoint slides boasting about them and leave them all on a sharepoint server administered by a 29 year old contractor whose girlfriend worked as a stripper. I do not think pervasive suspicion is really acceptable in the IETF culture at present. Well not unless the target is a CA. We also have a big problem in that there are two ways that an NSA contractor can sabotage a standard. One is to obstruct changes to make a standard secure, the other is to insist on ludicrous security requirements that ensure nobody will use the security. On the implementation side, yes, implementation errors whether fortuitous or deliberate are much more likely to be the source of insecurity than protocol errors. The number of developers is much larger than the number of designers. I get rather fed up of people who work for software vendors that patch a dozen serious security bugs every month putting up slides that ignore their own security problem but are sure to raise the DigiNotar issue.
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
