[ih] Security issues are not discussed in this memo [was: A revolution...]

John Day jeanjour at comcast.net
Mon May 11 11:30:05 PDT 2026 

FWIW, OSI began work on security in the early 80s, probably 1982. (OSI started in 1978). The first step would have been to do a security architecture to lay out what standards were necessary. Seeing the need, I pulled together 3 or 4 US experts and ask them to begin work on the problem. That of course attracted participation from other companies. Other security standards were developed based on that or hooks for security in other protocols. For example, the standard for creating application connections had a plug-in for authentication.

Take care,
John

> On May 11, 2026, at 00:31, Brian E Carpenter via Internet-history <internet-history at elists.isoc.org> wrote:
> 
> On 11-May-26 12:09, Greg Skinner via Internet-history wrote:
> ...
>> I’m not sure what Andrew Sullivan meant by “give away.” IMO, the USG had a much more liberal attitude towards 1970s and 1980s Internet technology, as well as the Internet itself, than it did towards cryptographic technology at that time.  The history of PGP <https://en.wikipedia.org/wiki/Pretty_Good_Privacy> provides an example of this.  If the Internet and/or Internet technology had been subject to tighter access and export controls, neither might have (as easily) become what they are today.  (I realize there is a lot more to this, and would welcome others who have much more experience than I do in this area to comment.)
> 
> When did people start to think seriously about security (which is much more than cryptography, of course)?
> 
> It was RFC 1311 (March 1992) that introduced the infamous phrase "Security issues are not discussed in this memo" which was used quite liberally for a long time. "Security Considerations" sections in RFCs seem have become normal around 1989, but most of them were very weak for many years. (At CERN, we saw elementary attacks from about 1986, mainly via DECNET, and we first appointed a network security person in about 1988.)
> 
> Of course, by the time the PGP mess came along, it was clear that NSA and its friends were taking a lot of interest in the Internet, and we poked the hornet's nest in the mid-1990s with RFC 1984. But DARPA funding was gone by then.
> 
> Regards/Ngā mihi
>   Brian Carpenter
> -- 
> Internet-history mailing list
> Internet-history at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/internet-history
> -
> Unsubscribe: https://app.smartsheet.com/b/form/9b6ef0621638436ab0a9b23cb0668b0b?The%20list%20to%20be%20unsubscribed%20from=Internet-history

More information about the Internet-history mailing list