Joe Touch wrote this message on Tue, Aug 05, 2014 at 10:24 -0700:
>
>
> On 8/5/2014 9:58 AM, Nico Williams wrote:
> >On Tue, Aug 5, 2014 at 11:39 AM, Joe Touch <[email protected]> wrote:
> >>On 8/4/2014 9:18 AM, Nico Williams wrote:
> >>>On Sun, Aug 03, 2014 at 05:08:50PM -0700, Joe Touch wrote:
> ...
> >>>I think you should let the process continue rather than attempt to shut
> >>>this down.
> >>
> >>I'm OK with that plan, but not OK with posts that make claims as to how
> >>solutions address the self-contradictory requirements of the charter.
> >
> >If there's an inconsistency between the charter and the proposals,
> >then that has to be addressed: that's part of the process. It may
> >mean updating the charter, updating the proposals, or even concluding
> >the WG.
> >
> >>I.e., this group cannot have it both ways. If you want to proceed with a
> >>flawed charter, then stop holding it up as the gold standard for
> >>solutions.
> >
> >Your posts have been more of the "this is not good, stop it" vein than
> >"the proposal is inconsistent with the WG charter [details]". You
> >can't have it both ways either. Please provide details or stop
> >distracting.
>
> I did.
>
> To repeat in summary, the charter mandates a TCP solution based on
> deployability to address pervasive monitoring. However:
>
> - unauthenticated anything protects against only shared-media
> monitoring. the kind of pervasive monitoring I believe motivated
> the BCP is at firewalls or routers on-path, and those can
> easily act as MITM
>
> so any unauthenticated approach is likely not to suffice to
> address the BCP that is the primary motivation of this work
It is only required to mitigate the attack, not entirely prevent it...
> - there is no evidence that a TCP layer solution is easier
> to deploy or that a kernel-based solution is easier to deploy,
> or that the two are inextricably linked
Considering how many people deployed broken TLS (don't properly validate
certs), or how many people use DTLS in their protocols (I know of none,
but I haven't researched it), or how many can't be bothers to turn on
https on their web servers, I believe that this will improve the state,
not necessasrily solve ALL problems...
> - there is no reason that a TCP layer solution is appropriate
> if we're concerned about monitoring
Again, mitigation...
> In fact, the charter starts from a position of wanting to protect
> traffic from monitoring, but jumps to the conclusion that a TCP solution
> is needed. What fraction of TCP traffic isn't already protected from
> monitoring by TLS, and what fraction is TCP of the total traffic
> potentially being monitored?
Considering HTTP, a large amount of it... Remeber, even if Netflix is
server encrypted content via http, the fact that you requested that
specific media is "public", so, can be monitored and tracked...
A large amount of this is not about preventing MITM, but making sure
that the cost of PM is increased to make sure that people only do PM
when they have to, not the current whole sale collection...
What precentage of internet traffic is TCP? :)
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
