logoalt Hacker News

lokartoday at 4:07 AM3 repliesview on HN

But that’s not what the IETF is. They don’t police, they encourage collaboration and standardization between implementers.


Replies

AdamNtoday at 9:07 AM

The standardization process should weed out 'footguns' that are prone to accidentally (or maliciously) lowering the security bar.

ButlerianJihadtoday at 6:32 AM

Heh heh heh.

I recall the early-to-mid-90s when the IETF was a powerhouse, churning out foundational standards and documents monthly, and every time I read a foundational RFC for some protocol I wanted to learn, the "Security Considerations" section was intentionally left completely blank and un-considered.

I don't know if it was recklessness or expediency or a very calculated tactic (the Internet was invented by DARPA, after all) but Internet protocols were so ridiculously insecure, and based on absurd trust models that were repeatedly broken, and everything always transmitted in plaintext (because, of course, all networks were physically wired, secured, and only the good guys could tap into them).

It was an absolute Wild West clown college as the Internet transitioned to commercial and privatized use cases, and I suppose it guaranteed job security for generations of cybersecurity experts and cryptographers.

g-b-rtoday at 4:13 AM

They publish what become standards, you can't just support any existing option in an encryption protocol (if you want to have a secure one).