Re: [arch-d] Proposed IAB program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)
Eric Rescorla <ekr@rtfm.com> Thu, 29 June 2023 00:40 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8E1FC14CE2F for <architecture-discuss@ietfa.amsl.com>; Wed, 28 Jun 2023 17:40:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CTOhMZZNsvj for <architecture-discuss@ietfa.amsl.com>; Wed, 28 Jun 2023 17:40:49 -0700 (PDT)
Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE582C14E513 for <architecture-discuss@ietf.org>; Wed, 28 Jun 2023 17:40:49 -0700 (PDT)
Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-57040e313c5so2282197b3.0 for <architecture-discuss@ietf.org>; Wed, 28 Jun 2023 17:40:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20221208.gappssmtp.com; s=20221208; t=1687999249; x=1690591249; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4K1Re745Fp5MUiXfahPTEGrBCWecb6aUQQT5CQL/z+Y=; b=jOOlAzrcm6VuSM3tKRLsahLJBsB+XfNMcfxE3kPmjo48eBn7nx3ikuvDhJdCKdUQu6 sPPbLeetESRL0vDJndhyGZ/HWu1D4cZbDCvBux/EA/NuslkctMeJsxW1TX8ldLm7oTlU udfmbeRLYcc4jvp7K76rotPWj9jlxN1UWYw4+HuzVeVGZAW4wJ5q9ft6f9frhhjvWTPM XnSWoh8dkhgNVeRZ34/hzUr6LzKAwgNF5Pjumt50u+KrLTDjMY+cY3VgG1Mg8PROVytD MSiVZP2mmnlHlAYW0YqME4OjPcuX4gzwwZgqCE6plYhYlJw354QrpwYQg3kDrY/ZkKB0 rfgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687999249; x=1690591249; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4K1Re745Fp5MUiXfahPTEGrBCWecb6aUQQT5CQL/z+Y=; b=igjtKXIjn8yn7PVnfrLbL1Kp6pYj7k3EHkft5NgA5frLcyuaAfwMLb08dUIeimWIG9 wQFjSGtT/DP3DETKxYTGNaCIKQJszAIDko+S3Ooxnxr2Vsa2HOSueobDABxisDti99/Q 1GAnxupEw00/PyzGxopr+skYSLXih4Km9SCM39WuYrv7KzcnEUD+8JumWyTw3wwknS1g b0BdQAmvQHT3zmTugGiJVUapsHWbOQ53HEUjo0plkkiyqLl0eW0Ff0ze7fXG8q2pdVRE TPe2GuDmTQKQNNXgVb0i61IPOC1+xmULlidiq406SO4iqpMOl3ux4euFHa+wf/v6HEE5 tsvQ==
X-Gm-Message-State: ABy/qLbKUI2pwH1l8SEls2M81Huw+90H17zs80GvEQwAzpqh8byN50cD w1Nssd7benXlaqNqyGReADwAiTsG5wgoSXdYTKmOk0xTmP3moykE
X-Google-Smtp-Source: APBJJlEUPOPoDNYSm1rqy68QHXf8pAM7cubBCShTdXHhkWVBPubWYYQ6MhqXI/s+JJdJ05xPD2Z4Vky2utUsFlhxwUQ=
X-Received: by 2002:a0d:cb94:0:b0:56d:2e66:bd55 with SMTP id n142-20020a0dcb94000000b0056d2e66bd55mr3304788ywd.3.1687999248936; Wed, 28 Jun 2023 17:40:48 -0700 (PDT)
MIME-Version: 1.0
References: <47a9db87-9e08-4c7c-c213-68ee36aa0385@lear.ch> <f280e3ff-e498-47e8-aac5-1f320b47c827@betaapp.fastmail.com> <CADNypP_csCfe1W4ZMUhtQkurDKS+=FBDiGY7OaW4b37ipoKckQ@mail.gmail.com> <e553cc3e-5c3e-46e9-baf1-fe41af2e90c1@betaapp.fastmail.com> <CADNypP8WPOoPkFfn5o-dbRB50bXRT2yvhA6Y18RcrkRsJLb14w@mail.gmail.com> <4a2c5184-692b-4e2c-b1e8-7e480c60e897@betaapp.fastmail.com> <DBAPR83MB0422C8933498E0924D2C7F1B9124A@DBAPR83MB0422.EURPRD83.prod.outlook.com> <f669ff24-b9de-f320-4aae-b403903a74aa@huitema.net> <ZJyCp059sflHuQjb@faui48e.informatik.uni-erlangen.de> <CABcZeBP57fQjT2XJDvq1_Cy-wzSMP-oEwYy_0DHWmu1Qzztz0Q@mail.gmail.com> <ZJy7d0CjipV0s1SF@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZJy7d0CjipV0s1SF@faui48e.informatik.uni-erlangen.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 28 Jun 2023 17:40:12 -0700
Message-ID: <CABcZeBO=aoejSOizeJpQ=K3AbdoSBVnnHH3drfUb6T68TU+=Wg@mail.gmail.com>
To: Toerless Eckert <tte@cs.fau.de>
Cc: Christian Huitema <huitema@huitema.net>, Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009d4bcc05ff39f398"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/WOw0Ap_F7_KlfJxeRv-CHnSCuZA>
Subject: Re: [arch-d] Proposed IAB program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 00:40:53 -0000
On Wed, Jun 28, 2023 at 4:00 PM Toerless Eckert <tte@cs.fau.de> wrote: > On Wed, Jun 28, 2023 at 12:06:04PM -0700, Eric Rescorla wrote: > > Now we are getting into the actual work, but I think this is a pretty > good > > example of the limitations of this kind of anonymous credential. > > I am always only getting excited by use-case examples. > > > For instance, if you are at a bar and you want to purchase alcohol, the > > person selling it to you needs to know that the person in front of them > is old > > enough. It's not enough to just show them a zero-knowledge proof that > your phone has > > a credential proving that you are over 18 (21 in the US) you actually > need > > to prove that the person in front of them is over age, which means that > the proof > > has to be tied to a biometric (typically a photo). But at that point, > the biometric > > is usable for facial recognition even if your name is hidden. > > The biometric would be taken by the phone and verified by the trusted > third party > (DMV, ...) which then vouches for the "over 18 assertion" against the > establishments > terminal. > > Might not even need to have biometric verification if one assumes (IMHO > rightfully so), > that the chance of borrowing cell phones to someone else is pretty slim. > And even slimmer > when one puts some less intrusive incentives onto the cell phone to to not > borrow them > for such purpose. > I go into some detail into why the practice you are describing is not secure in the post I linked to, so I won't bother going into it here. Of course i know this is not only wishfull thinking from myself as a > half-witted > security interested person. I just have to recollect how Covid > certificates on phones > where "verified" at restaurants an eternity, oops: just 2 years! ago. > Laughable. > > I could have walked into restaurants with a contraption concocted from a > cell phone > case, a printout of a random QR code and a backlight. "Look here, photo or > QR code". > "Sure, please come in". > Yes, this practice is not secure, and I think in part reflected that the establishments in question didn't really care about COVID vaccination. But they do care about checking IDs--or at least they do care in places where the laws are strict. > > > > The systems where this kind of selective proof technology works better > are > > those where what's being authenticated is some sort of digital operation. > > Thats just because the digital operation is software that doesn't need > additional > incentives like a door man at a restaurant. But then again, you can turn > everything > digital these days by attaching a digital payment operation to it. > No, that's not the reason. The reason is that the good that is being delivered is digital and therefore that you don't need to bind it to a human. -Ekr > > For instance, you might want to prove you are a Netflix subscriber but > not have Netflix > > know who is watching what videos. This works because the credential is > just tied > > to your device, not to you personally (yes, I know it's more complicated > > than this). > > > But it works less well when you have avoid attacks where one person > > impersonates another. > > As soon as you deal with humans there is of course a lot of understanding > of human > behavior that one wants to factor into how to design the solution. > > Cheers > Toerless > > > -Ekr > > > > > > > > Not too difficult to imagine how to do this technically, but certainly > > > hard to believe that > > > current business and government entities would design such solution > that > > > your > > > privacy / anonymity is maximized. > > > > > > Obviously this is likely also where there might be a commercial > interest > > > of sponsors > > > of IETF participants to develop standardized solutions for exactly this > > > type of use cases, > > > but really making sure that those solutions will then still protect > your > > > privacy against > > > those commercial entities that contributed to the IETF effort, that is > our > > > IETF challenge - > > > or limitation. > > > > > > Cheers > > > Toerless > > > > > > On Wed, Jun 28, 2023 at 11:25:35AM -0700, Christian Huitema wrote: > > > > > > > > > > > > On 6/28/2023 6:17 AM, Pieter Kasselman wrote: > > > > > Martin, I read the "Human Oriented Discussion" part of the title > as a > > > statement about making the discussion accessible to humans (all of us > who > > > are not identity experts), not excluding machines (devices and > workloads). > > > The proposed program text clearly calls those out as being in scope. > > > > > > > > > > Authorization decisions (part of an identity system) needs to take > > > into account all identities (human and machine) acting on a resource. > There > > > are also examples of machine identities accessing sensitive data, even > when > > > there is no user present (batch processes for example). > > > > > > > > > > Given the rapid growth of machine identities, the shortage of > > > expertise in the identity field, the rising need for > > > multi-cloud/multi-platform systems (and managing identities in those > > > environments), the move towards least privilege systems and the > changing > > > threat landscape (a compromised device identity may be far more > impactful > > > than a compromised human identity), this may well be one of the most > useful > > > areas of exploration. > > > > > > > > I am worried about "human oriented" for another reason. As EKR said, > a > > > lot > > > > of what we handle are "credentials", such as authorizations to use a > > > > particular resource on the Internet. There is of course a lot of > work to > > > be > > > > done to properly manage credentials, but moving from "credentials" to > > > "human > > > > oriented identity" implies something else: that a set of credentials > is > > > > linked to the identity of a particular human person. And that makes > me > > > > shudder, because this ties directly to tracking people activities > around > > > the > > > > Internet. > > > > > > > > Separating "credentials" from "human identity" is a pretty important > tool > > > > for privacy. It allows people to compartment their activities, so > that > > > for > > > > example your activities in a church, in a sport club or in a work > place > > > are > > > > not linked. It also allow credentials to be shared by groups of > people, > > > so > > > > that outsiders cannot easily track which person in the group engaged > in a > > > > specific activity. > > > > > > > > I can see how governments and businesses would like linking > credentials > > > to a > > > > specific human person. Advertisements would be so much more relevant! > > > Laws > > > > about viewing ages would be so easier to enforce! The police would > be so > > > > much more efficient! Cheating spouses would be so easy to find out! > But > > > > then, these very reasons are why "unique Internet identity" is so > > > > controversial. > > > > > > > > If the IAB does proceed with this Human-Oriented Identity program, I > sure > > > > hope that treating privacy issues and providing privacy guarantees > will > > > be > > > > the number one priority. > > > > > > > > -- Christian Huitema > > > > > > > > > > > > _______________________________________________ > > > > Architecture-discuss mailing list > > > > Architecture-discuss@ietf.org > > > > https://www.ietf.org/mailman/listinfo/architecture-discuss > > > > > > -- > > > --- > > > tte@cs.fau.de > > > > > > _______________________________________________ > > > Architecture-discuss mailing list > > > Architecture-discuss@ietf.org > > > https://www.ietf.org/mailman/listinfo/architecture-discuss > > > > > -- > --- > tte@cs.fau.de >
- [arch-d] Proposed IAB program on Wholistic Human-… Christopher Wood
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eliot Lear
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Salz, Rich
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Dominique Lazanski
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eliot Lear
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eliot Lear
- Re: [arch-d] Proposed IAB program on Wholistic Hu… tom petch
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Mirja Kuehlewind
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Pieter Kasselman
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Pieter Kasselman
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Warren Parad
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christian Huitema
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Glenn Deen
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Dick Hardt
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Stephen Farrell
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Henning Schulzrinne
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Stephen Farrell
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Phillip Hallam-Baker
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… John Levine
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christian Huitema
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rob Sayre
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christopher Wood
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christopher Wood
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Hesham ElBakoury
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Phillip Hallam-Baker
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Phillip Hallam-Baker
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christian Huitema
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Phillip Hallam-Baker