Computerworld

The IETF needed a wake-up call on security, says chairman

The Snowden revelations have made the standards organization rethink its approach on security

Security and how to protect users from pervasive monitoring will dominate the proceedings when members of Internet Engineering Task Force meet in London starting Sunday.

For an organization that develops the standards we all depend on for the Internet to work, the continued revelations made by NSA whistleblower Edward Snowden have had wide-ranging repercussions.

"It wasn't a surprise that some activities like this are going on. I think that the scale and some of the tactics surprised the community a little bit. ... You could also argue that maybe we needed the wake-up call," said IETF Chairman Jari Arkko.

The security implications of the disclosures are something the IETF must deal with, according to Arkko.

"Obviously it's important that we have reliable tools for e-commerce, banking, private communications and everything else. My vision of the end goal is that we try to build a more secure Internet based on the assumption that there are all these threats around us," Arkko said.

Part of that work will also be to make security features easier to use and for the standards organization to think of security from day one when developing new protocols.

"It isn't easy to make these improvements, because if Internet security was easy we would have solved it years ago. But there are things that we can do and what I find very positive is that we seem to be going through this systematic analysis of the different parts to see what we can do with instant messaging, with the Web, with voice over IP," Arkko said.

In conjunction with the IETF meeting, the IAB (Internet Architecture Board) and the W3C (World Wide Web Consortium) are organizing a high-level workshop that will delve deeper into some of these challenges, including tradeoffs between strengthening security measures and performance.

Many topics will be discussed in London, including the "Internet of things" and what changes are needed to make the Internet a better fit for devices such as sensors that in many cases need to be energy efficient. Part of that work is a new protocol called CoAP (Constrained Application Protocol), designed to easily work with HTTP for integration while meeting requirements such as multicast support and low overhead.

But thermostats, wearables and sensors also need protection, including encrypted communications.

"At this meeting, we are talking about something that would enable authorization to work better in this environment. Even if you have security, you need to decide who can use the thermostat at home," Arkko said.

Digital currency is another area that the IETF has taken an interest in. The work is still at an early stage, so in London participants will consider whether there is a role the standards organization can play, according to Arkko.

"Are there parts of the communication that we could help with? Is there a need for further standardization?" Arkko said.

The IETF meeting is Sunday through Friday.

Send news tips and comments to mikael_ricknas@idg.com