[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Please discuss: draft-housley-evidence-extns-00<

To: martin.rex@xxxxxxx
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
From: "Steven M. Bellovin" <smb@xxxxxxxxxxxxxxx>
Date: Wed, 10 Jan 2007 17:06:55 -0500
Cc: tls@xxxxxxxx
In-reply-to: <200701102032.VAA12262@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Organization: Columbia University
References: <A15AC0FBACD3464E95961F7C0BCD1FF01B064CBF@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <200701102032.VAA12262@xxxxxxxxxxxxxxxxxxx>

On Wed, 10 Jan 2007 21:32:15 +0100 (MET)
Martin Rex <martin.rex@xxxxxxx> wrote:

> 
> There is absolutely NONE, ZERO, NIL chance that this can be used
> in customer<->business relationsships in the European Union, because
> it is incompatible with the EU data protection directive in many ways.
>
The Danvers doctrine, RFC 1984, and RFC 2804 cut both ways -- the
IETF's protocols are supposed to be based on technical merit, not
political-layer decisions.  It's quite inconsistent to oppose this
because it conflicts with one government-layer policy while not
opposing, say, unescrowed strong crypto because that conflicted with a
different government-layer policy.  (Please read my publication list
before accusing me of being a stooge for the NSA...)  There are two
questions: does the proposal have technical merit, and is there enough
"market" demand that it's worth the IETF's time.  (I think your
specific claim could be argued both ways, but in the spirit of what I
just said I won't address that issue.)

I would have liked a longer -- a much longer -- discussion in the
draft of how this facility might be used.  For example, I don't see it
as particularly useful for https unless and until there are html-level
tags that specify when evidence creation should be used.  Perhaps the
values being uploaded could be surrounded by <evidence>...</evidence>
tags?  Many people on this list have mentioned the issue of the poor
coupling between TLS and application-level semantics; I would like to
see suggestions of how to do it.  Without that, it's hard to assess
either the correctness or the need for this protocol.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: Martin Rex
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: Martin Rex

References:
- RE: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: Stefan Santesson
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
  - From: Martin Rex

Prev by Date: RE: [TLS] Please discuss: draft-housley-evidence-extns-00<
Next by Date: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Previous by thread: RE: [TLS] Please discuss: draft-housley-evidence-extns-00<
Next by thread: Re: [TLS] Please discuss: draft-housley-evidence-extns-00<
Index(es):
- Date
- Thread