IETF Logo Mail Archive

Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution

Bernard Aboba <bernard.aboba@gmail.com> Fri, 24 January 2020 20:51 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E64E120884 for <architecture-discuss@ietfa.amsl.com>; Fri, 24 Jan 2020 12:51:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHU0r7Le_U7M for <architecture-discuss@ietfa.amsl.com>; Fri, 24 Jan 2020 12:51:18 -0800 (PST)
Received: from mail-vk1-xa2e.google.com (mail-vk1-xa2e.google.com [IPv6:2607:f8b0:4864:20::a2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE03A120858 for <architecture-discuss@ietf.org>; Fri, 24 Jan 2020 12:51:18 -0800 (PST)
Received: by mail-vk1-xa2e.google.com with SMTP id w67so1033180vkf.1 for <architecture-discuss@ietf.org>; Fri, 24 Jan 2020 12:51:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yrSrtigg4k7RLwed//yyNsKSqLbNzbDjSQNJA8wwlvY=; b=vPO1g3wi06cnn3cgxkYWmDuMAPp6hfHnu1+AYcsySq8jnLDtTzzBAmci1I44yv3U3e tmb4GTHhYARHnCQ7Nmho7bzV3N4yOwn+6Ugv54bIdLDyAKk63jE7p1kH9linfPNE09Nz fzS4kkvmJNEXoDh7Tk38CHbYRKN/R6Hl1vlFHA2Zz4b+kIEcK5+mSPkqCkXGa2bz/0Ft POEHA/knwRrlWPYkvEytmsBTnB6gQ2yku5Lhq26mtjceSGA623s73EzenrtmfBQNjfdH pg2b0QQHVFxuJGPfOIiD0C8OYIR30m4LgnLh2CMfAfC3Uecx01J578M3KSCvVxxsumFx GOsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yrSrtigg4k7RLwed//yyNsKSqLbNzbDjSQNJA8wwlvY=; b=p/8kKKtBE9qWJxGfxczTJJaBmHu2YY/nOM6gaEDu8YNOftP8+g/RyyvTvm3HZ6tTZf Pp3L6+J1SRHGAn41b+E488uxRLLm7hlEJ26GN4GW95Nbv1A7V+d9hebj83GPj9A/GaQ5 aYgMRm+UMfozfR7OFLM7DSK2Rg7C/+aPMaLFdQkdTl+qUCAONRDFWJiX2c3X7Kdl3l9V K5L/kQ0j5DfN1o+p8nFJ1sIYRV11Er3xi/8UYqsbWwhtAizQOJ/x3E6IEreNbPFdWWZ1 BfIAWuPI5ZduijJQeJ+7QsbwrSXBWPpx4ukIJe7pCwDmd9lNRiT49hSidD+Yto33E1LP VWBA==
X-Gm-Message-State: APjAAAUn2mdxdgoQ1qjyq6lJIS3EFiTVAEC0Bq0tLft1DV2ohC2DHw+C 7PTGzN46Oajkkn0mFhMFK414ahILzxCPiOnLJFo=
X-Google-Smtp-Source: APXvYqySmj6ZH8OHaVEYLTAJTPx1bRpkQl75PUDevmSrdBdah5aEHJ0Uuk87ql29NJOqlUPK+9dTzam77sClaUzthjU=
X-Received: by 2002:a1f:bd87:: with SMTP id n129mr3339771vkf.23.1579899077298; Fri, 24 Jan 2020 12:51:17 -0800 (PST)
MIME-Version: 1.0
References: <E2D709DC-DD01-4946-B2F1-7EE0E101DEF0@piuha.net> <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com>
In-Reply-To: <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Fri, 24 Jan 2020 12:51:06 -0800
Message-ID: <CAOW+2dsix03F0X8vFnYkKWzTMkZnff1_zPQr3tcqMrP2RY17Cg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, architecture-discuss@ietf.org, model-t@iab.org
Content-Type: multipart/alternative; boundary="000000000000488df8059ce8eb55"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/BcDyLabSpMBNKPvzq_8M2eSiC1U>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 20:51:22 -0000

EKR said:

"What does feel dated in 3552 (at least to me) is the emphasis on a bunch
of very old school protocols and the more or less total elision of the Web.
In particular, if we're talking in terms of threat model, the idea that you
have a lot of different untrusted programs running on your machine (i.e.,
in the JS VM) and that you need to secure them from each other really is
new and could use some documenting. It's worth noting, however, that (a)
that's largely about implementation and (b) that that system strives to
achieve the kind of "each endpoint its own isolated unit" ideal that 3552
asumes."

[BA] I agree that RFC 3552 does feel dated with respect to today's Web.  In
a number of cases, it has become clear that the term "endpoint" is too
general, and that we may need to define much more precisely what endpoint
elements (e.g. JS applications, native browser code, trusted hardware
modules, etc.) are trusted with what data.

On Fri, Jan 24, 2020 at 12:04 PM Eric Rescorla <ekr@rtfm.com> wrote:

> Brian's comments match my recollection. Specifically, we didn't think we
> were *defining* a threat model as much as documenting a consensus model
> that already existed. Incidentally, it's not clear to me what a "trust
> model" is. This is not a term that appears in 3552 nor is it a real term of
> art that I am familiar with.
>
> Taking a step back, I remain unpersuaded that the 3552 threat model is
> really out of data. The two main deficiencies I have heard floated are:
>
> 1. That it doesn't take into account traffic analysis and pervasive
> monitoring.
> 2. That the assumption that endpoints are uncompromised is unrealistic.
>
> I can see some merit in the first point, but this seems to really be more
> a matter of emphasis: 3552 already specifies a Dolev-Yao style attacker,
> which means that it can observe all communications. So really what has
> happened is that we have a clearer picture of just how realistic that is
> and what you can do with that kind of access. I can see some kind of
> update, but again it's less about threat model than about modern examples.
>
> As far as the second point goes, I think that when you are thinking about
> comsec protocols it's still true that you can't do much if you don't trust
> the endpoints. I think 3552 could be a bit better about recognizing that
> there are malicious actors in the system, though obviously that's implicit
> in the discussion of DoS. Anyway, this doesn't seem like much of an update
> to the threat model.
>
> What does feel dated in 3552 (at least to me) is the emphasis on a bunch
> of very old school protocols and the more or less total elision of the Web.
> In particular, if we're talking in terms of threat model, the idea that you
> have a lot of different untrusted programs running on your machine (i.e.,
> in the JS VM) and that you need to secure them from each other really is
> new and could use some documenting. It's worth noting, however, that (a)
> that's largely about implementation and (b) that that system strives to
> achieve the kind of "each endpoint its own isolated unit" ideal that 3552
> asumes.
>
> -Ekr
>
>
> On Fri, Jan 24, 2020 at 11:47 AM Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
>
>> Hi,
>>
>> I'm confused. What we have in RFC3552 is very intentionally guidance for
>> RFC writers on what they need to cover in their RFCs. Its specific purpose
>> was to get rid of "Security considerations are not discussed in this
>> memo."
>> Its purpose was not primarily to define an abstraction like a "trust
>> model"
>> or a "threat model" (the draft charter seems a bit vague about which of
>> those
>> it means).
>>
>> I really do not want to see the pragmatic purpose of RFC3552 lost in the
>> effort to define these abstractions. I don't think that is the intention,
>> but the text seems to imply that RFC3552 was mainly a description of a
>> generic threat model, which it wasn't.
>>
>> I am not against an IAB effort to analyse how the threat and trust models
>> (plural) have evolved since the security workshop [RFC2316] that
>> ultimately
>> led to RFC3552. That seems like a good idea. An update of "Guidelines for
>> Writing RFC Text on Security Considerations" also seems like a good idea.
>> But the draft charter text seems to conflate these two separate lines of
>> action.
>>
>> Incidentally, while writing the above it occurred to me why the phrase
>> "IAB program" has always slightly disturbed me. Really the proposal is
>> a virtual IAB workshop (whereas RFC2316 came from three days in a room
>> together in Murray Hill, NJ). A good idea, but not a program.
>>
>> Regards
>>    Brian
>>
>> On 25-Jan-20 00:49, Jari Arkko wrote:
>> >
>> > The IAB are considering starting up a programme on Internet
>> > trust model evolution as described in the link at the bottom of this
>> > email.
>> >
>> > We'd like to get feedback on that idea and the text. As you may
>> > be aware, in 2019 a number of documents were published on
>> > this topic and discussions held (on the mailing list, SAAG, side
>> > meeting at IETF-106, workshops, etc). There’s also a virtual
>> > meeting coming up on February 14th.
>> >
>> > To be clear, any output from this program would be text offered
>> > to the IETF for consideration - it is not within the IAB's remit, nor
>> > that of an IAB program, to modify a BCP. Nonetheless, an IAB
>> > program offers a good venue for this work, as it perhaps allows
>> > for more focus on the evolving architecture aspect within this space.
>> >
>> > The plan is for the new program to be entirely open for participation,
>> > similar to how the current work has already been. That is, the mailing
>> > list is open for all interested to join, meetings are open and listed
>> > in the public agendas. The IAB will find a chair or chairs for the
>> > group to stay organised.
>> >
>> > There's no specific deadline for this, but the IAB will consider this
>> > further in the next few weeks, so if you could take a few minutes
>> > to share your thoughts on this that'd be great.
>> >
>> >
>> https://github..com/intarchboard/model-t-charter/blob/master/model-t-charter-00.md
>> <https://github.com/intarchboard/model-t-charter/blob/master/model-t-charter-00.md>
>> > https://www.iab.org/mailman/listinfo/model-t
>> >
>> > Stephen & Jari
>> >
>> >
>> > _______________________________________________
>> > Architecture-discuss mailing list
>> > Architecture-discuss@ietf.org
>> > https://www.ietf.org/mailman/listinfo/architecture-discuss
>> >
>>
>> --
>> Model-t mailing list
>> Model-t@iab.org
>> https://www.iab.org/mailman/listinfo/model-t
>>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss
>

v2.23.0 | Report a Bug | By Email