+1 But I don't have time to help write it. This proposal is similar to what we did in the CA industry after the Iranian attack against Comodo. We had a series of information sharing sessions. One important consequence for me personally was that Symantec/VeriSign gave a presentation on how the root key management system works which means that I now feel free to talk about that. Although I later discovered that the entire system that I and others considered a highly proprietary trade secret is actually described in detail in the CPS and CP.
The big change in mindset was that we recognized that an attack on one of us is an attack on all and that security is not a competitive differentiator. DigiNotar damaged the entire industry. One other point, this is not just one government or even governments. There is a group of ex-NSA staff semi-openly touting 'cyber-defense' operations that include an 'offshore' component. The only reason I can think of to have the operations offshore and boast about them is to perform acts that would be criminal in the US. The individuals behind the company concerned were very senior in a previous administration and quite possibly believe that they can get away with criminal behavior because the establishment will cover up for them. Lawlessness begets lawlessness. People who are accustomed to ignore the laws while working for the government are inclined to continue to ignore them. I expect that in the immediate aftermath of Snowdonia there will be something of an exodus from Fort Meade. And many of those people will take their knowledge with them in their head and have no compunction about putting that knowledge to 'commercial' use. It is all going to end in a very ugly scandal but the perpetrators can do a lot of damage between now and their day of reckoning. People need to put down strong defenses. On Wed, Nov 27, 2013 at 9:06 AM, Dave Crocker <[email protected]> wrote: > Morning mid-coffee question: > > There have been some recent news articles about various major ISPs > taking steps to encrypt their (internal) traffic. These prompt me to > wonder whether it would be practical and useful for the IETF to produce a > basic draft that gives guidance to other ISP and enterprise operators about > the steps they should take to protect their traffic. > > I'm assuming that providing meaningful protection takes a statement > beyond "encrypt all your links". Perhaps it doesn't, but I thought I'd > ask... > > d/ > -- > Dave Crocker > Brandenburg InternetWorking > bbiw.net > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass > -- Website: http://hallambaker.com/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
