Is It Possible for Encryption to Harm Cybersecurity?
• 10 min read
This article provides an update on developments in encrypted DNS and related protocols and their potential impact on cybersecurity. In particular, it highlights how applications are making it increasingly difficult for both enterprises and consumers to monitor their in-bound and out-bound communica…
“Disclosure: I am one of the founders of RIPE and both the first and a current employee of the RIPE NCC. I have also been an IETF participant, working group chair and chair of the Internet Society board of trustees and as such have played a role in IETF governance. Dan, No, the IETF is not perfect and neither is the RIPE community. We all carry the history of actions and prejudices of our individual and collective past into our current structures and attitudes. This is no different elsewhere. As an exercise I advise any representative democracy and their rites, unwritten laws and sometimes obscure networks. Whenever I wish to engage a new group I have to do my homework like you started to do. Nowhere have I succeeded in demanding to re-visit previous beliefs and decisions without knowing them and basing my proposals for a big part on the previous work and traditions of the group I am engaging. Neither have I had much success with challenging the attitudes and customs of the group I wish to engage. "As a new attendee, I argued both that I was not part of or aware of previous discussions (which is reason in itself to reassess the previous consensus), and also that the imminent adoption of online safety regulation in the UK and EU is a strong reason to revisit these discussions." will get you nowhere, neither here nor at the IETF and for a reason. Best Daniel”
Daniel One of the contradictions that I have observed in the IETF is that the community maintains a position that it addresses technical issues and not policy, when in reality it sometimes does address policy matters quite explicitly (eg RFC 7258 - Pervasive Monitoring is an Attack) and often does so implicitly (many of the technical decisions have policy implications). Suggesting therefore that it is unreasonable to highlight changing circumstances in legislation etc (the imminent adoption of online safety regulation in the UK and EU) as a possible reason to revisit previous community consensus positions, especially if some time has passed since those positions were reached, seems itself to be unreasonable. The IETF does not operate in a vacuum! Separately, the research referenced by Dan mentions the lack of diversity within the IETF community on a number of axis including gender, ethnicity, geography and thought. It is something of an outlier compared to, for example, the IGF, in that regard and has yet to find a way to embrace the multistakeholder model despite some proposals from the IAB (see RFC 8890 - the Internet is for End Users). I note that we also have a problem engaging newcomers, with significant attrition after they have attended a single meeting. Whilst some of this will be due to some taking advantage of the proximity of a particular meeting with their home base, the culture of the community must also take some of the blame. It should be possible to address the cultural challenges. From my own limited experience of RIPE, the community feels very welcoming, and I'm told that the same is true is other organisations such as ETSI. If we are to cite consensus documents as the reason for doing (or not doing) something, we should take care to ensure that the community is as diverse and representative as possible, otherwise our consensus will not carry very much weight. Andrew
With great timing to coincide with the presentation and discussion at the DNS WG today, AdGuard has confirmed that it has adopted the European Resolver Policy. See https://adguard.com/en/blog/adguard-dns-adopted-european-resolver-policy.html for more details.
“I cannot resist to point out that the privacy policy on the web site of this initiative says: 'Privacy Policy coming soon'.”
Hi Daniel Thank you for highlighting the omission. Human error, now fixed.
“Hey Andrew, Thanks for this, appreciate the efforts here. What I was wondering, is there a direct link with the DNS4EU initiative as it was presented in the EU's Cybersecurity Strategy that was published late 2020, quoting from the document (JOIN/2020/18): "With a view to reducing security issues related to market concentration, the Commission will encourage relevant stakeholders including EU companies, Internet Service Providers and browser vendors to adopt a DNS resolution diversification strategy. The Commission also intends to contribute to secure Internet connectivity by supporting the development of a public European DNS resolver service. This ‘DNS4EU’ initiative will offer an alternative, European service for accessing the global Internet. DNS4EU will be transparent, conform to the latest security, data protection and privacy by design and by default standards and rules and form part of the European Industrial Alliance for Data and Cloud". Is this initiative seeking to be an implementation of this or could it be? Thanks, MarcoH (Manager Public Policy and Internet Governance, RIPE NCC)”
Hi Marco Thank you for your comments. With regards the EU Commission's DNS4EU initiative, there is no direct link between this and the European Resolver Policy, the latter of which comes from industry. However, it is entirely possible (and desirable in my view) that the DNS4EU initiative may specify that resolvers should adopt and be compliant with the policy in order to meet the criteria that you have quoted in your message. Would this have the support of RIPE? This is certainly a point that could be raised during the Commission's next HLIG meeting. Andrew
Showing 4 comment(s)