Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution

Robin Wilton <wilton@isoc.org> Wed, 29 January 2020 21:17 UTC

Return-Path: <wilton@isoc.org>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 263A9120047 for <architecture-discuss@ietfa.amsl.com>; Wed, 29 Jan 2020 13:17:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9IcauEx721I for <architecture-discuss@ietfa.amsl.com>; Wed, 29 Jan 2020 13:17:40 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0627.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe45::627]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697C2120045 for <architecture-discuss@ietf.org>; Wed, 29 Jan 2020 13:17:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MdKzXCLpwTW3rcEyQfENAKsUNcmRaxX2Vu4IXB1IxUXwryE4vL/n5dr/ju42iKnQgjDQ4x3hh/uUZBZxg7FnYJDRFH8CXauwGdkimEjbem6E0/7ERa0+pTO0K7Cd0+ZBGtO4sTXynINfD+lR/NO1SwkMwDnB+ds/KUmrR4WEeTlH+gq+1x2NDFb9ZSnve3TznFEOmCAL0dSDr4y64vEKQiTQxhPKcNmfY8mtKCswSS1PVEmIDJAUlwr9rDIDAWclN9etUY9tg8O+yX9CHIzP1eLBUxWc8H6wW6tM3vI34nCsdVI+fgtOYelBSoaxLSc9AMJX65OGoGw4THAUVOlP2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+R4UbNOEb9SCinrTMmtEyg12OOrsLSB9AIjuEmf+CLQ=; b=YEwdx/szug7WTVEuun7bxTQ3PfLPwNhh+GlxnFm1TDXJj5zBs9l3OdiU8twC8Aa+mnag6vi7esdI0NbYM0HWBAxueFuSu9Qp0JT/vkRnpvEy4kZ8//VH/7lBAZBCPsbloNwWyPkvF9eIAiFTdBTMKPss897Lulwxdonbp5GTVb6BxBYpmm7S/btoCNDnQcDpyMKG44zyxJxUfvZdwXmcs2Sirj8evp8eNUFZgUE8kqPF4FIuE8fAL5SYdW4AmZU9lTK+2r4xN2huQBW3GaSBdchZjxEkXhLmxKRRJA1jivtXDOJkrYbmPFCUtOZl+oOqN0ItRRNk7lGnhMhoBdlsTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isoc.org; dmarc=pass action=none header.from=isoc.org; dkim=pass header.d=isoc.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+R4UbNOEb9SCinrTMmtEyg12OOrsLSB9AIjuEmf+CLQ=; b=s5ddc7E6yBu+UwhEVnsXdbxgYcuLZraCved0CFQxcZkQuPctXezmtLC7cXHEtanO750RxuFhCU4MXhgKyFtKnZcaJrM0f9Wpu9NJw1BEjChWSQDtL2ceqly0Z4ALeOMQ5wXtWBZvO3ktyVBrvXKvSJ28qxS0IuvrzgOFSvxzqJk=
Received: from BL0PR06MB4772.namprd06.prod.outlook.com (52.132.0.222) by BL0PR06MB4914.namprd06.prod.outlook.com (10.167.240.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2686.26; Wed, 29 Jan 2020 21:17:38 +0000
Received: from BL0PR06MB4772.namprd06.prod.outlook.com ([fe80::bcb1:34ae:3c82:185c]) by BL0PR06MB4772.namprd06.prod.outlook.com ([fe80::bcb1:34ae:3c82:185c%6]) with mapi id 15.20.2665.026; Wed, 29 Jan 2020 21:17:38 +0000
From: Robin Wilton <wilton@isoc.org>
To: Eliot Lear <lear@cisco.com>, Bernard Aboba <bernard.aboba@gmail.com>
CC: "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>, "model-t@iab.org" <model-t@iab.org>, Toerless Eckert <tte@cs.fau.de>
Thread-Topic: [Model-t] [arch-d] Possible new IAB program on Internet trust model evolution
Thread-Index: AQHV1thkVQ/MZmJpQkC8KjQJYwIVSqgCJFli
Date: Wed, 29 Jan 2020 21:17:38 +0000
Message-ID: <BL0PR06MB4772046AA2FD38C48F5C75BBBF050@BL0PR06MB4772.namprd06.prod.outlook.com>
References: <E2D709DC-DD01-4946-B2F1-7EE0E101DEF0@piuha.net> <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com> <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.com> <6a1a019b-8666-269c-56ca-ebae4b69e9e8@huitema.net> <C7FDAD8F-D66A-4618-9F87-B1BB9CEA191B@cisco.com> <CABcZeBPKFEEDqQEGXZAD87n5cCsA75+uMGp-brq0JXBoW91LjQ@mail.gmail.com> <96A32815-C313-4C08-90FF-DDAFAD591287@cisco.com> <CACsn0ck9PDAOhZrbBZ7e4UVU7eNiSgrfVO7JL9zaYaX3if2WVw@mail.gmail.com> <DCE750AF-6439-4961-A4DA-ED855807F68E@cisco.com> <CAOW+2dvf6hhcCimis8Q0RUCtY_-ZkaoC6p6t-HpOj5K6Q6O08w@mail.gmail.com>, <16390A67-B502-4278-B93E-2642025F356D@cisco.com>
In-Reply-To: <16390A67-B502-4278-B93E-2642025F356D@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=wilton@isoc.org;
x-originating-ip: [95.175.104.159]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9e33f99b-01fe-4ab0-faa1-08d7a500ab04
x-ms-traffictypediagnostic: BL0PR06MB4914:
x-microsoft-antispam-prvs: <BL0PR06MB4914EBBDFE2A58A2E39FD960BF050@BL0PR06MB4914.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02973C87BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(199004)(189003)(33656002)(5660300002)(7696005)(498600001)(66574012)(76116006)(91956017)(66476007)(26005)(186003)(9686003)(55016002)(66446008)(2906002)(64756008)(66556008)(66946007)(8676002)(6506007)(71200400001)(81156014)(81166006)(53546011)(8936002)(54906003)(110136005)(52536014)(86362001)(4326008); DIR:OUT; SFP:1101; SCL:1; SRVR:BL0PR06MB4914; H:BL0PR06MB4772.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YFc+X9c6hTTqGQ+zd/XU/G5vltjTPlanvAVQVNzbBKIRjeV3fGGfOGSdIK8B8bQsVaPLPB3gJG4EqtbKSG+JNGgp/ury/M6P9UqOud11vriyCaWXXsC7li4A3Xvece9Sh5mifoWv8A3ld1tXgFemQbDjcNtLiptY/F1MR+gVCUF4fBrBIMM4RdYLNBkfzFC3gs2Za7w7wMI17qPgHN9j7/b38+OryZPpE1rSnpFQkPqUzffz3cGERVB/B9Qt/Edx+KFuJvslu0AVQrLI/TiV4ZC03VnqZDFk6h88O3q2M/iu7qj+/NBwcf1LEqJpNbHp9tWGajw+/A12BX8+Af3EMc7EYhFTjiOEdkxARCBlnwrFDwoMvMLiuz7uJQlJuLW2NpdX6+5jVo7W9wbYGgdNo/G3VwmoIpSk/1b4J958atwdcYw7RAfy5CumEhcn4Q/5
x-ms-exchange-antispam-messagedata: 4bKvFSBJ1pvZjYcm4IEq6aQ0VJKZf0+5EgORHHWw/GY8opyUD+cQwwz3lWZzLhy89DLmaKakfkCD30fwrxnTgitGPcurCVat7zzvwciHvnN56Yp3CDeIx9NeZvQ2nxekvx5cdzfi/4/YsGPszXNp6g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR06MB4772046AA2FD38C48F5C75BBBF050BL0PR06MB4772namp_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 9e33f99b-01fe-4ab0-faa1-08d7a500ab04
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2020 21:17:38.3658 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nv9bTGDUo3vovCjTC0g7P6S6hMK1fomBlNoB5LjE/wX3IXGN7M1YAIiqRWsBZT61
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR06MB4914
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/KZfIgIefwakfTKPDnBAo2rGhA_E>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 21:17:46 -0000

Thanks, both. As I read your comments, one phrase kept presenting itself to me...
“user agency”. What is it, in the system, that is giving effect to the user’s intention and preferences. I’m not even going to try and guess which layer(s) that thing (or those things) reside, at this point, and I entirely agree that this is an opportunity to take a few deep breaths and consider the problem space.

Best wishes,
Robin
________________________________
From: Eliot Lear <lear@cisco.com>
Sent: Wednesday, January 29, 2020 9:48:32 AM
To: Bernard Aboba <bernard.aboba@gmail.com>
Cc: architecture-discuss@ietf.org <architecture-discuss@ietf.org>rg>; model-t@iab.org <model-t@iab.org>rg>; Toerless Eckert <tte@cs.fau.de>
Subject: Re: [Model-t] [arch-d] Possible new IAB program on Internet trust model evolution

Hi Bernard and thanks for your valuable thoughts.

On 28 Jan 2020, at 23:50, Bernard Aboba <bernard.aboba@gmail.com<mailto:bernard.aboba@gmail.com>> wrote:

Eliot --

The examples you describe are difficult to capture within protocol-specific threat models (RFC 3552) or privacy considerations (RFC 6973).  For practicality, those analyses need to maintain a narrow focus, yet at the same time we understand that systemic privacy and security issues can only be understood when analyzing the system that a protocol is embedded in.  As a result, even protocols that successfully address the original threat models can be the source of major systemic vulnerabilities. For example, we could not have expected the authors of RFC 1945 (HTTP 1.0) to have anticipated the security and privacy problems arising from today's social media implementations - some of which were discussed during the Internet Privacy Workshop summarized in RFC 6462.

I really cannot say what, if any, protocol changes I would suggest at this point to handle some of the cases I mentioned.  Assuming there is interest in this approach, I would suggest a bit of a collection and a culling.

I want to address one related point: Joel doesn’t think the program should get up into layer 9 too much, and I would say that it would be necessary to do so to figure out where we as a community want to make some Lessiguesque law, and when perhaps we need to leave that to others, but see below.


However, I do think that you're on to something important that is worth IAB consideration.

It strikes me that in a number of the examples you cite the "endpoint" is not acting in the interest of the "end user", at least in the sense described in draft-iab-for-the-users.  As was noted in Section 4.2:


   In contrast, the Internet of Things (IoT) has not yet seen the
   emergence of a natural role for representing the needs of the end
   user.  Perhaps as a result of this, that ecosystem and its users face
   serious challenges.

For example, consider how some of the IoT behavior you describe might be handled within a permission model implemented in a browser or a mobile device:

1. Would a user grant permission to access to camera or microphone?   In the example of the device that did not advertise that it contained a microphone, presumably, the answer would be "no" (although the microphone was not initially enabled so perhaps permission might not have been requested).
2. Would the user grant permission to access personal information such as location?  In the example of the device with embedded trackers, again the user would probably not have granted access to location and other data (although we know that location can easily be obtained in circumvention of browser or mobile device protections).



Very well put.

I think that leads us into a bit of futuristic scenario planning about how that permission model would work, what the control points are, then how they interact, etc.  The L9 discussions come in the form, I think, of incentive modeling to address the for-the-users point.  But that’s for later.  For now, what are the problems?

To Toerless’ point:

Yes, i think we can agree that we would like all Internet end-to-end
transport must not even allow for a misconfigured option to use null
encryption, but i think when TLS 1.3 was standardized, there should have
been a better solution than to completely oppress the needs of those
other use-cases.

And my suggestion is that we take three steps back before we even go there.  Let’s not treat this like an IETF working group, but pause and take deep breaths and work the problem space just a bit.

Eliot