Harry,
...
In the "early days" of the Internet, to my knowlege, the Internet was
more of a research project amongst co-operative researchers at places
like MIT, SRI, and CERN with the Web so security and privacy concerns
were minimal at best. I'm not sure what else can explain early RFCs :)
Obviously this has changed, and now folks have to retro-fit these
security on top the system.
As one who has been actively involved since "the early days" I have to
disagree with your characterization. Internet R&D was funded primarily
by the U.S. DoD, and thuis security was a consideration. Moreover, the
sort of passive and active wiretapping attacks that we're discussing,
ones that can be carried out by nation states, were a concern. The
technical approach to dealing with such attacks was to employ
encryption, on an end-to-end basis, for realtime communication. Sound
familiar?
BBN built a basic e-t-e encryption device (the PLI) in the mid-1970's,
for use in the ARPANET. Later in the 70's we worked with ARPA (now
DARPA) to develop a more sophisticated system, one that worked with
TCP/IP, provided per-connection security associations, and which used a
KDC. (This was a few years before the MIT Kerberos project began and
long before public key crypto was considered practical.)
All of this was well before development of the Web, even before DNS, in
a simpler
environment. My point is that technology was developed to provide protection
against passive and active wiretapping of Internet protocols. It was not
developed for
the software implementations that we see in OSes, because the DoD
understood the vulnerabilities that arise in a software-based
implementation. The solutions focused on external, hardware crypto,
inline between a computer (or a gateway) and the Internet. That made the
solutions developed for the DoD environment unattractive for typical
commercial, much less, residential users.
Steve
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
