Hi Ted, On 01/16/2014 07:23 PM, Theodore Ts'o wrote: > That may be true, but the alternative of edge-to-edge security is even > worse.
I'm fairly sure you don't mean it that way, but just in case... We'll really be better off not to be talking as if end-to-end (or object) and hop-by-hop (channel) security were mutually exclusive - "the alternative" sort of implies that. And there are different hops or channels as well, e.g. if I run IMAP/TLS whilst on an IPsec VPN etc etc. Or see the discussion between Adrian and Steve Kent on our draft. So those are also options and not mutually exclusive. One take away from a lot of the snowdonia stuff is that we should have well defined interoperable and ideally easy to deploy ways to do security at *every* level since every single option will work best for someone somewhere. For example, when the tcpcrypt folks turned up at the IETF a couple of years ago I was against it really. That was mostly because I figured we already had TLS so why would we want another thing that's so similar but partly because they were selling it as "better" than TLS. I've now concluded that I was wrong about that and am encouraging them as I can. And our draft is meant to be the same - another tool for the tool-box. (Well, assuming it turns out to be a useful tool, which is still not yet known.) Cheers, S. _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
