[ih] Security issues are not discussed in this memo [was: A revolution...]

Steve Crocker steve at shinkuro.com
Mon May 11 02:11:09 PDT 2026 

Yes, October 1989 matches my recollection.  Thanks.

Steve


On Mon, May 11, 2026 at 2:59 PM Brian E Carpenter <
brian.e.carpenter at gmail.com> wrote:

> According to https://www.ietf.org/about/groups/iesg/past-members/, that
> means about October 1989.
>
> Regards/Ngā mihi
>     Brian Carpenter
>
> On 11-May-26 18:07, Steve Crocker wrote:
> > When the Security Area was created, I volunteered  and was accepted as
> the Area Director.  IIRC, I suggested making Security Considerations a
> required section in standards documents.
> >
> > It was not limited to crypto issues.
> >
> > Steve
> >
> > Sent from my iPhone
> >
> >> On May 11, 2026, at 12:31 PM, Brian E Carpenter via Internet-history <
> internet-history at elists.isoc.org> wrote:
> >>
> >> On 11-May-26 12:09, Greg Skinner via Internet-history wrote:
> >> ...
> >>> I’m not sure what Andrew Sullivan meant by “give away.” IMO, the USG
> had a much more liberal attitude towards 1970s and 1980s Internet
> technology, as well as the Internet itself, than it did towards
> cryptographic technology at that time.  The history of PGP <
> https://en.wikipedia.org/wiki/Pretty_Good_Privacy> provides an example of
> this.  If the Internet and/or Internet technology had been subject to
> tighter access and export controls, neither might have (as easily) become
> what they are today.  (I realize there is a lot more to this, and would
> welcome others who have much more experience than I do in this area to
> comment.)
> >>
> >> When did people start to think seriously about security (which is much
> more than cryptography, of course)?
> >>
> >> It was RFC 1311 (March 1992) that introduced the infamous phrase
> "Security issues are not discussed in this memo" which was used quite
> liberally for a long time. "Security Considerations" sections in RFCs seem
> have become normal around 1989, but most of them were very weak for many
> years. (At CERN, we saw elementary attacks from about 1986, mainly via
> DECNET, and we first appointed a network security person in about 1988.)
> >>
> >> Of course, by the time the PGP mess came along, it was clear that NSA
> and its friends were taking a lot of interest in the Internet, and we poked
> the hornet's nest in the mid-1990s with RFC 1984. But DARPA funding was
> gone by then.
> >>
> >> Regards/Ngā mihi
> >>    Brian Carpenter
> >> --
> >> Internet-history mailing list
> >> Internet-history at elists.isoc.org
> >> https://elists.isoc.org/mailman/listinfo/internet-history
> >> -
> >> Unsubscribe:
> https://app.smartsheet.com/b/form/9b6ef0621638436ab0a9b23cb0668b0b?The%20list%20to%20be%20unsubscribed%20from=Internet-history
>


-- 
Sent by a Verified

sender

More information about the Internet-history mailing list