Re: [arch-d] Proposed IAB program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)
Toerless Eckert <tte@cs.fau.de> Sun, 20 August 2023 04:42 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1308C14F693 for <architecture-discuss@ietfa.amsl.com>; Sat, 19 Aug 2023 21:42:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.658
X-Spam-Level:
X-Spam-Status: No, score=-6.658 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQSoMFXCUl3d for <architecture-discuss@ietfa.amsl.com>; Sat, 19 Aug 2023 21:42:34 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F17EEC1516F3 for <architecture-discuss@ietf.org>; Sat, 19 Aug 2023 21:42:31 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4RT2yp57NGznkyg; Sun, 20 Aug 2023 06:42:26 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4RT2yp4HWLzkYnd; Sun, 20 Aug 2023 06:42:26 +0200 (CEST)
Date: Sun, 20 Aug 2023 06:42:26 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: Hesham ElBakoury <helbakoury@gmail.com>, architecture-discuss@ietf.org
Message-ID: <ZOGZsubQNmjnkEtT@faui48e.informatik.uni-erlangen.de>
References: <f280e3ff-e498-47e8-aac5-1f320b47c827@betaapp.fastmail.com> <CADNypP_csCfe1W4ZMUhtQkurDKS+=FBDiGY7OaW4b37ipoKckQ@mail.gmail.com> <e553cc3e-5c3e-46e9-baf1-fe41af2e90c1@betaapp.fastmail.com> <CADNypP8WPOoPkFfn5o-dbRB50bXRT2yvhA6Y18RcrkRsJLb14w@mail.gmail.com> <4a2c5184-692b-4e2c-b1e8-7e480c60e897@betaapp.fastmail.com> <CADNypP9er0ThhjdKwWkEy7VbWh84icRciEhip=6X5WWS4icbmg@mail.gmail.com> <a0bc3442-94a7-47d0-901a-e9ed61c45a3e@betaapp.fastmail.com> <CADNypP-vUpfDQs0T1dwms1_kHpPR4ckkzea0KvmN8q_iAX7Q5A@mail.gmail.com> <ac2dd449-3a67-6aef-279f-62426be9c1a9@gmail.com> <CAMm+Lwjy34hofa+R4_KgVRZBv5y14c2R=HJ6kQNDsA0ZmrmWkg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAMm+Lwjy34hofa+R4_KgVRZBv5y14c2R=HJ6kQNDsA0ZmrmWkg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/XI5mvIBR14SIYhrQgbvqWihnaXo>
Subject: Re: [arch-d] Proposed IAB program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Aug 2023 04:42:37 -0000
As long as we keep e.g.: corporate naming schemes such as eckert-<whatever> for all equipment assigned to me at some employer, i am sure that the trackers will be happy to have us develop hardly tracable user-identity for us as people. Translation: tongue in cheek example for how device identity/naming may undermine user identity, and that i fear such outcome will be more likely if we ignore it in the process we're about to engage in. But i think this is just a reminder of what i think Eliot brought up when starting this whole sub-thread. Cheers Toerless On Sat, Aug 19, 2023 at 09:00:42PM -0400, Phillip Hallam-Baker wrote: > On Sat, Aug 19, 2023 at 8:22 PM Hesham ElBakoury <helbakoury@gmail.com> > wrote: > > > Is there a decision regarding whether device identity should be included > > in the program or not for device-to-device and device-to-network? > > > > Thanks > > > That is a good question at many levels. > > First off, we did have a working solution for establishing corporate > identity on the Web for almost 20 years. Some of that work is still > relevant to attempting to credential or identify people. And understanding > why attempts to extend the WebPKI model to people failed is also relevant. > > Secondly, I think we need to take device identity separate from service and > user identity. These should be considered separate concerns. > > > Let's consider the case where Alice is going to use a site hosted on > MegaSite which has 2000 domains on the same IPv4 address. We would like to > encrypt the initial contact so Eve doesn't know which one. There are two > ways we can do this. One is to delay notice of the service we want to > connect to until after we have received a public key, i.e. the second IP > packet. The other is to stuff a public key into the DNS. > > In either case, that public key is really a host public key, not a service > public key. > > > When looking at the next generation of security solutions, I believe we are > going to be focused on separation of roles, one technique for that is > threshold of course but it isn't the only one. Cryptographic hygiene, using > separate keys for separate applications, being able to track back > administration actions to specific individuals and specific devices becomes > critical. > > For example, Alice has her car broken into and her laptop stolen. The > attacker may have been able to bypass the authentication on the device and > SSH into the machines Alice administers. But did they? Only way to be sure > is if we have logs that show which actual device connected and that means > Alice using a different SSH key for each device. > _______________________________________________ > Architecture-discuss mailing list > Architecture-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/architecture-discuss -- --- tte@cs.fau.de
- [arch-d] Proposed IAB program on Wholistic Human-… Christopher Wood
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eliot Lear
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Salz, Rich
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Dominique Lazanski
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eliot Lear
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eliot Lear
- Re: [arch-d] Proposed IAB program on Wholistic Hu… tom petch
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Mirja Kuehlewind
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Martin Thomson
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Pieter Kasselman
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Pieter Kasselman
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Warren Parad
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christian Huitema
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Glenn Deen
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Dick Hardt
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Stephen Farrell
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Henning Schulzrinne
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Stephen Farrell
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rifaat Shekh-Yusef
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Phillip Hallam-Baker
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… John Levine
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christian Huitema
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Rob Sayre
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Eric Rescorla
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christopher Wood
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christopher Wood
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Hesham ElBakoury
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Phillip Hallam-Baker
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Toerless Eckert
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Phillip Hallam-Baker
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Christian Huitema
- Re: [arch-d] Proposed IAB program on Wholistic Hu… Phillip Hallam-Baker