This post was originally published on the CA Security Council blog.
The big news at IETF 88 in Vancouver was the technical plenary on Hardening the Internet which discussed the issue of pervasive surveillance. Pervasive surveillance is a mass surveillance of an entire or a substantial fraction of a population. The surveillance is usually carried out by government, is not targeted and its occurrence may not be overt. It was noted that pervasive surveillance, of the kind revealed in the Snowden-sourced documents, constitutes a misguided and damaging attack on civic society in general and the Internet in particular.
The session was headlined by security guru Bruce Schneier. In Schneier’s presentation he stated, "The goal is to make eavesdropping expensive. That's the way to think about this, is to force the NSA to abandon wholesale collection in favor of targeted collection of information."
Pervasive surveillance is an attack on the Internet and must be treated as an attack. This is not an attack of the cryptography as it was pointed out that the math is good and encryption works if properly implemented. However, there are far too many end-point security issues impacting the implementation of encryption and end-to-end security.
Security Area Director Stephen Farrell stated, “While there are challenges isolating the specific areas of attack that IETF protocols can mitigate, all of the working groups that considered the topic have started planning to address the threat using IETF tools that can mitigate aspects of the problem.”
In the end, the Internet technical community continued reviewing what they can do to take action, such as:
There was also a meeting of the Web PKI working group. The goal of this group is to document how the Web PKI was deployed. The reason this is interesting is the Web PKI was not deployed 100 percent in accordance with IETF standards, which may leave some management and security issues.
The Web PKI working group will document the following:
Once the current deployment is documented, then there likely will be projects to help standardize the Web PKI to continue to bring security to the Internet.