Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution

"Joel M. Halpern" <> Tue, 28 January 2020 15:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 04783120808 for <>; Tue, 28 Jan 2020 07:16:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.635
X-Spam-Level: **
X-Spam-Status: No, score=2.635 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_SCAM=1.999, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4l9iQl_HP2NY for <>; Tue, 28 Jan 2020 07:16:14 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F1492120124 for <>; Tue, 28 Jan 2020 07:16:13 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 486VZ56Tmfz1nyXc; Tue, 28 Jan 2020 07:16:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=2.tigertech; t=1580224573; bh=AS8X3yB4C40Zm3JG2J3nrwqwmjGRhDSQxHaTMZ7cybg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=oIG+MUGdrTVEQs1hpmkgBaFnansUzbWiE++M+Y+Tqjismo/xoxH3sT1AqGVgLNU6N 7wRU1GPpCS0VJaHF0M+VEW1yq1weV+jyavVAL0Beks1ZVlDwT+zIdxgD9+eQ+OX5PF MGZq3/d2uNP4/tCw244vMEzjCBp+QVF99bvHgOfg=
X-Virus-Scanned: Debian amavisd-new at
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 486VZ51y9rz1ny8c; Tue, 28 Jan 2020 07:16:13 -0800 (PST)
To: Eliot Lear <>
References: <> <> <> <> <> <> <> <> <> <>
From: "Joel M. Halpern" <>
Message-ID: <>
Date: Tue, 28 Jan 2020 10:16:09 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 Jan 2020 15:16:15 -0000

I am a bit concerned by the emphasis on what appear to be application 
policy, business policy, or government policy.  To the degree that these 
are decoupled from the technology we define, my impression is that the 
IETF is neither skilled at nor influential with regard to these topics. 
We can spend a lot of time and energy on them.  They are interesting 
topics.  But are they really our business?


On 1/28/2020 1:44 AM, Eliot Lear wrote:
> Hi Watson,
>> On 28 Jan 2020, at 02:35, Watson Ladd < 
>> <>> wrote:
>> On Sun, Jan 26, 2020 at 1:44 AM Eliot Lear < 
>> <>> wrote:
>>       Let’s look at three specific examples that I’ve mentioned:
>>     1.  Train signaling system needs to be audited both live and
>>     retrospectively in the case of accidents.  This has to happen in
>>     such a way that the auditor sees precisely what was sent by one
>>     endpoint and received by the other.
>>     2.  The case of “parent doesn’t want Internet toy to send video of
>>     child”, when the camera is undisclosed (it’s an analog to the
>>     privacy analysis on Alexa[1] and the now infamous NEST episode[2]).
>>     3. CPAP machine or an AED/pace maker provide a control interface
>>     to the doctor but the patient or his next of kin wants the data.
>> I've got a few more examples from real life:
>> 4: We need to see who is sending pictures of Winnie the Pooh.
>> 5: We don't want pictures of the inside of our detention centers to 
>> appear online.
>> 6: I want to see everyone's credit card number at the coffee shop I run.
>> Any discussion of tapping network communications because endpoints 
>> can't be trusted needs to take these cases seriously. 
> Absolutely.  What I am suggesting is a relatively new twist on an old 
> problem(*).  It’s important to understand the economic and policy 
> aspects of how/whether to avoid [4] and [5], how to avoid [6] while at 
> the same time addressing use cases I mentioned.
> So… today’s new information comes courtesy of the EFF.
> Here we have yet another IoT device that, from at least one person’s 
> perspective is invading home privacy.  And again, it is the device 
> itself that is the threat.  In this case, it’s probably a more 
> manageable threat, because one can simply not get a NEST.  Try not 
> getting a CPAP machine.
> And this brings us around to what layer to solve the problem at.  Some 
> of this may need to be dealt with at layer 9 rather than at lower 
> layers.  We should have that discussion too.
>> Increasingly corporate networks are moving away from network layer 
>> access controls and using user authentication over TLS, so-called 
>> BeyondCorp model, including checking endpoint posture through management.
> I don’t think this solves the railroad case.  Do you?  Just to clarify 
> the example:
> According to their logs, two separate signals received  “set your lights 
> to green” at the same time, causing two trains to crash into each other. 
>   According to the signal controller’s logs, it sent “set your lights to 
> green” to only one signal.  What happened?
> All of the cases we are discussing have slightly different flavors of 
> threats.  From an IAB program standpoint, the real question here is 
> this: what are the architectural building blocks that are required? 
>   Keep in mind, some of those blocks could be code and some could be policy.
> One goal should be code reuse. It is probably best that the people 
> building the train signal *not* reinvent everything, but rather benefit 
> as much as they can from the experience and results that you, EKR, and a 
> great many other people have brought to society.
> Eliot
> (*) It’s also important to not fall into old tribal communication 
> patterns, while recognizing the realities of the concerns raised by you, 
> Watson, and me.