Hi, Just on this:
On 05.10.22 19:32, Lucas Pardue wrote:
RFC 7258 / BCP 188 [1] was published in 2014. It describes how " Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible."
Yes, we said that. However, we also said the following in the same document:
Those developing IETF specifications need to be able to describe how
they have considered PM, and, if the attack is relevant to the work
to be published, be able to justify related design decisions.
Application developers need to consider their particular circumstances and make decisions for themselves. The OPC world makes heavy use of ISA99 model / IEC 62443, which has a very formal segmentation scheme that may mitigate the need for encryption. However, some caution is advised: services that have in the past been considered local often transition to use the Internet. I'm not close enough to OPC to have a fine-tuned crystal ball in that regard.
This doesn't answer the question of whether QUIC should be changed for OPC's use case. That's not an easy call, but I still don't think we fully understand the requirements. The existing QUIC may be perfectly fine for certain industrial uses where live key distribution from one party either is easy or unnecessary.
Eliot
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
