If we are going to secure the net we need more than specifications, we need running code and configurations to match.
Right now the problems caused by us using SHA1 are vastly less than the problems caused by systems that are just terribly configured or don't make the right security checks. I have an exploit that lets me dump out usernames and passwords enclair from certain applications despite the apparent use of 'security' because most of the clients and many of the servers out there are not configured right. But it does not currently even merit a CERT advisory because it isn't a bug in the code or the specification, it is a configuration failure. So here is the proposal, IETF and W3C develop a series of profiles for how to lock down a service (Web, mail, chat) that provide specific security protections against specified attacks. The suite would also include profiles for backbone, datacenter providers etc. These profiles can then form the basis for a range of security services that can be fulfilled by providers as appropriate to the needs of the clients. So for example, Comodo and the other CAs and some of the DNS registrars can pitch in on the retail end and provide 'off the shelf' services that are locked down to a calibrated security profile. Then at the other end of the scale very large enterprises with a designated CISO would call in the likes of big consulting companies to deploy. There would also be business opportunities for independent consultants. In fact I am not sure that the retail model is going to be viable unless I can tell an unprofitable customer that their needs are beyond what the flat service fee model can support and they need to contact an independent contractor. This is of course something the industry has traditionally looked to NIST to provide. But lets face it, that model is dead. It might be five years before we can get people in a room together. Meanwhile we face real threats. I see a number of questions here, one of which is what the appropriate venue is. Another is what community should be involved. While this probably needs to be an IETF or W3C activity it need not necessarily take place at IETF meetings. A technical session lumped onto the front of Blackhat while the admin type folk are in the training sessions might well be a better venue. We probably want to follow up on Jim Getty's advice to connect to the Linux Plumbers. Security protocol designers are not the best folk for finding holes because most of the holes are created by people doing stuff that is just so stupid most of us would never think to do it. But the work does need to be done somewhere and it needs to be an open, unencumbered specification that draws on open standards. -- Website: http://hallambaker.com/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
