Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution

John C Klensin <john-ietf@jck.com> Tue, 28 January 2020 16:20 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E411D120A14; Tue, 28 Jan 2020 08:20:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SdvSTlfS1Jyp; Tue, 28 Jan 2020 08:20:53 -0800 (PST)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0055120A06; Tue, 28 Jan 2020 08:20:53 -0800 (PST)
Received: from [198.252.137.10] (helo=PSB) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1iwTbe-000Ico-Hz; Tue, 28 Jan 2020 11:20:50 -0500
Date: Tue, 28 Jan 2020 11:20:45 -0500
From: John C Klensin <john-ietf@jck.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
cc: architecture-discuss@ietf.org, model-t@iab.org
Message-ID: <78E09CC1706F7D66D5F8DE1E@PSB>
In-Reply-To: <66867749-85fd-8c1e-16b5-b261239a9ba3@joelhalpern.com>
References: <E2D709DC-DD01-4946-B2F1-7EE0E101DEF0@piuha.net> <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com> <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.c om> <6a1a019b-8666-269c-56ca-ebae4b69e9e8@huitema.net> <C7FDAD8F-D66A-4618-9F87-B1BB9CEA191B@cisco.com> <CABcZeBPKFEEDqQEGXZAD87n5cCsA75+uMGp-brq0JXBoW91LjQ@mail.gmail.com> <96A32815-C313-4C08-90FF-DDAFAD591287@cisco.com> <CACsn0ck9PDAOhZrbBZ7e4UVU7eNiSgrfVO7JL9zaYaX3if2WVw@mail.gmail.com> <DCE750AF-6439-4961-A4DA-ED855807F68E@cisco.com> <66867749-85fd-8c1e-16b5-b261239a9ba3@joelhalpern.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/rA6YwyT0GZJ0_iF50fMK2ffduPE>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2020 16:20:56 -0000


--On Tuesday, January 28, 2020 10:16 -0500 "Joel M. Halpern"
<jmh@joelhalpern.com> wrote:

> I am a bit concerned by the emphasis on what appear to be
> application policy, business policy, or government policy.  To
> the degree that these are decoupled from the technology we
> define, my impression is that the IETF is neither skilled at
> nor influential with regard to these topics. We can spend a
> lot of time and energy on them.  They are interesting topics.
> But are they really our business?

Joel,

I've been trying, not very successfully, to follow this very
lively discussion, but two observations which I hope are not out
of context:

(1) I think that "neither skilled nor influential ... [and
therefore] not our business" leads us down a path whose
destination is irrelevancy.  Even for link encryption (and
perhaps more so when the scope is broadened), we should probably
recognize that mounting pressures from law enforcement (both
associated with governments some of us like if they like any
governments at all and those they don't like or who are viewed
with more suspicion) could easily lead to regulations for
government access to keys or other backdoors or even to outright
bans on public use of cryptography.  Even noting that arguments
from the technical community had major influence on killing the
Clipper Chip effort and that making those arguments was very far
from "not our business", it seems to me that good engineering
requires that we not put our heads in the sand and pretend that
the world is different then it actually is or might be becoming
when we design protocols.   In particular, that may mean that,
in some places, we should be writing specifications less in
terms of "if you want to have privacy, you MUST do X" and more
in terms of "...SHOULD do X unless that is not feasible but, if
it isn't, then the fallback approach SHOULD include Y and Z".
In the real world, "feasible" may include political of other
constraints, not just constraints imposed by physics.  We may
not always be able to figure out good alternatives to our
preferred recommendations, but I suggest that making a balanced
and good faith effort to understand the problems and the
environments in which we expect our protocols will be used will
lead to better design even when we don't have good solutions.  

Or, to put it more negatively, if we fail to understand and try
to account for those environments, we risk being put in a
position in which _we_ are the ones responsible for Internet
fragmentation and/or for protocol work moving to bodies other
than the IETF because regulators make conforming implementations
of IETF protocols illegal or commercial firms discover that
conforming implementations cannot be developed and sold.

(2) If I correctly understand the issues that Eliot, Watson, and
Kathleen are exploring, the key involves the rather classic
security issues of authorization and authentication --who should
have access to particular information and how do we tell they
are who they claim to be?  In a way, maintaining and enforcing a
non-trivial list of authorized parties but keeping everyone and
everything else out (the example of some doctors and the
patients themselves is very helpful for thinking about this) is
a lot harder than keeping everyone out except those who control
the endpoints (whatever that means).   But most of that problem
is technical and, if we don't have the expertise (I'm tempted to
say "any more") that is a problem for us.

In both cases, it seems to me that an IAB Program (or at least
one or more serious workshops) are exactly the right model for
addressing these problems for at least two reasons:  The IAB is
in a much better position than, say, an IETF WG, to recruit
specific expertise to cover perspectives and areas of expertise
that are not widely available in the IETF.  It is also perfectly
reasonable for such a program to produce recommendations about
issues that need to be considered even if they have no good
solutions or even if they are convinced that there are no
solutions out there.  I can only hope that the IAB will hold
itself to a very high standard of including multiple
perspectives (even perspectives with which IAB members and their
perception of IETF consensus are in significant disagreement)
and a broad range of expertise in the Program and that the
community will hold the IAB accountable if they do not.  If the
way the IAB were to recruit Program members involved asking for
volunteers from within the IETF community and then further
narrowing the Program's perspective by selecting people from
among those volunteers who agreed with the IAB's own views, the
Program would likely be a waste of time or worse.

    john