On 06/09/13 14:45, Scott Brim wrote:
I wouldn't focus on government surveillance per se. The IETF should
consider that breaking privacy is much easier than it used to be,
particularly given consolidation of services at all layers, and take
that into account in our engineering best practices.
--On Friday, September 06, 2013 17:11 +0100 Tony Finch
d...@dotat.at wrote:
John C Klensin j...@jck.com wrote:
Please correct me if I'm wrong, but it seems to me that
DANE-like approaches are significantly better than traditional
PKI ones only to the extent to which:
...
Yes, but there
- Original Message -
From: Phillip Hallam-Baker hal...@gmail.com
To: Andrew Sullivan a...@anvilwalrusden.com
Cc: IETF Discussion Mailing List ietf@ietf.org
Sent: Friday, September 06, 2013 4:56 AM
On Thu, Sep 5, 2013 at 11:32 PM, Andrew Sullivan
a...@anvilwalrusden.comwrote:
On Fri,
On 9/6/13 12:54 AM, t.p. wrote:
- Original Message -
From: Phillip Hallam-Baker hal...@gmail.com
Cc: IETF Discussion Mailing List ietf@ietf.org
Sent: Friday, September 06, 2013 4:56 AM
The design I think is practical is to eliminate all UI issues by
insisting that encryption and
I wouldn't focus on government surveillance per se. The IETF should
consider that breaking privacy is much easier than it used to be,
particularly given consolidation of services at all layers, and take
that into account in our engineering best practices. Our mission is
to make the Internet
--On Friday, September 06, 2013 06:20 -0700 Pete Resnick
presn...@qti.qualcomm.com wrote:
Actually, I disagree that this fallacy is at play here. I
think we need to separate the concept of end-to-end encryption
from authentication when it comes to UI transparency. We
design UIs now where we
Theodore Ts'o ty...@mit.edu wrote:
Speaking of which, Jim Gettys was trying to tell me yesterday that
BIND refuses to do DNSSEC lookups until the endpoint client has
generated a certificate.
That is wrong. DNSSEC validation affects a whole view - i.e. it is
effectively global.
Clients can
On Fri, Sep 06, 2013 at 03:26:42PM +0100, Tony Finch wrote:
Theodore Ts'o ty...@mit.edu wrote:
Speaking of which, Jim Gettys was trying to tell me yesterday that
BIND refuses to do DNSSEC lookups until the endpoint client has
generated a certificate.
That is wrong. DNSSEC validation
On 9/6/13 7:02 AM, John C Klensin wrote:
...It may still be
good protection against more casual attacks, but we do the users
the same disservice by telling them that their transmissions are
secure under those circumstances that we do by telling them that
their data are secure when they see a
On Fri, Sep 06, 2013 at 06:20:48AM -0700, Pete Resnick wrote:
In email,
we insist that you authenticate the recipient's certificate before
we allow you to install it and to start encrypting, and prefer to
send things in the clear until that is done. That's silly and is
based on the
On 2013-09-06, at 10:16, Theodore Ts'o ty...@mit.edu wrote:
On Fri, Sep 06, 2013 at 06:20:48AM -0700, Pete Resnick wrote:
In email,
we insist that you authenticate the recipient's certificate before
we allow you to install it and to start encrypting, and prefer to
send things in the clear
On Fri, Sep 6, 2013 at 11:41 AM, Pete Resnick presn...@qti.qualcomm.com wrote:
OK, one last nostalgic anecdote about Eudora before I go back to finishing
my spfbis Last Call writeup:
MacTCP (the TCP/IP stack for the original MacOS) required a handler routine
for ICMP messages for some dumb
--On Friday, September 06, 2013 08:41 -0700 Pete Resnick
presn...@qti.qualcomm.com wrote:
...
Absolutely. There is clearly a good motivation: A particular
UI choice should not *constrain* a protocol, so it is
essential that we make sure that the protocol is not
*dependent* on the UI. But
--On Friday, September 06, 2013 07:38 -0700 Pete Resnick
presn...@qti.qualcomm.com wrote:
Actually, I think the latter is really what I'm suggesting.
We've got do the encryption (for both the minimal protection
from passive attacks as well as setting things up for doing
good security
hi Scott, all,
On Sep 6, 2013, at 3:45 PM, Scott Brim scott.b...@gmail.com wrote:
I wouldn't focus on government surveillance per se. The IETF should
consider that breaking privacy is much easier than it used to be,
particularly given consolidation of services at all layers, and take
that
--On Friday, September 06, 2013 10:43 -0400 Joe Abley
jab...@hopcount.ca wrote:
Can someone please tell me that BIND isn't being this stupid?
This thread has mainly been about privacy and confidentiality.
There is nothing in DNSSEC that offers either of those,
directly (although it's an
On 9/6/13 8:23 AM, John C Klensin wrote:
I think that one of the more important things we
can do is to rethink UIs to give casual users more information
about what it going on and to enable them to take intelligent
action on decisions that should be under their control. There
are good reasons
John C Klensin j...@jck.com wrote:
Please correct me if I'm wrong, but it seems to me that
DANE-like approaches are significantly better than traditional
PKI ones only to the extent to which:
- The entities needing or generating the certificates
are significantly more in control
On Fri, Sep 6, 2013 at 9:20 AM, Pete Resnick presn...@qti.qualcomm.comwrote:
On 9/6/13 12:54 AM, t.p. wrote:
- Original Message -
From: Phillip Hallam-Baker hal...@gmail.com
Cc: IETF Discussion Mailing List ietf@ietf.org
Sent: Friday, September 06, 2013 4:56 AM
The design I think
19 matches
Mail list logo
