IETF Logo Mail Archive

Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution

Vittorio Bertola <vittorio.bertola@open-xchange.com> Mon, 27 January 2020 09:54 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2C6C12001B for <architecture-discuss@ietfa.amsl.com>; Mon, 27 Jan 2020 01:54:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Level:
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_SCAM=1.999, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmzkLd2FSui8 for <architecture-discuss@ietfa.amsl.com>; Mon, 27 Jan 2020 01:54:30 -0800 (PST)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1454A12012E for <architecture-discuss@ietf.org>; Mon, 27 Jan 2020 01:54:30 -0800 (PST)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 39E4A6A272; Mon, 27 Jan 2020 10:54:28 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1580118868; bh=dbjMyVBx2W0rKbGVZy2bqeKa19hGd/Ge4qqn/cMgMhg=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=9ytS+fjNCyiY+XO4HXqIub60BZaz8lsxFCMnXgFdoGZOZSS0T/mH8KRiKWX/jviMo WJnXQ8h6JMptiHkiFx3uJqA0bkO5bcrqZW+GYZKKoU06vw8QvuxfGOM331UWSwujGh Jk5ak5kmD9+aT6L/XH8nnPnerZcfuQkRxfDjDv+coCFt1ZUKqyjJ5iKIkjvWY+MwkM dN1czgfqG3axalrPzflcJ3fQVIGkTF5FoHjGfgI5k226gnSLCiNsntwUBcYVQR26Ly gtRm/YAwMfNbaeqUSmZLWudJ3Egr1rQrIXiT3uNjSXrEzYLZbZPfehKtfoZTBqZ9fq qfh6h9ZL/AZgw==
Received: from appsuite-gw1.open-xchange.com (appsuite-gw1.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 22B8B3C0424; Mon, 27 Jan 2020 10:54:28 +0100 (CET)
Date: Mon, 27 Jan 2020 10:54:27 +0100
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Eliot Lear <lear@cisco.com>
Cc: architecture-discuss@ietf.org, model-t@iab.org
Message-ID: <509170201.60518.1580118868021@appsuite-gw1.open-xchange.com>
In-Reply-To: <96A32815-C313-4C08-90FF-DDAFAD591287@cisco.com>
References: <E2D709DC-DD01-4946-B2F1-7EE0E101DEF0@piuha.net> <dff1c31e-44d4-6045-aaeb-03ac1e855200@gmail.com> <CABcZeBOYsP+SBNdLqc-wmyJAs1A+hvWbKud_XfvDgi9zJVMD+w@mail.gmail.com> <CA+9kkMDFm7nboqQY2OjNvmcWxs_30d_5NtBv8Nd1eLBnWKBaBw@mail.gmail.com> <6a1a019b-8666-269c-56ca-ebae4b69e9e8@huitema.net> <C7FDAD8F-D66A-4618-9F87-B1BB9CEA191B@cisco.com> <CABcZeBPKFEEDqQEGXZAD87n5cCsA75+uMGp-brq0JXBoW91LjQ@mail.gmail.com> <96A32815-C313-4C08-90FF-DDAFAD591287@cisco.com>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.3-Rev3
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/x-UpD6Ml_Ee07GNFHKLZbwssL9Q>
Subject: Re: [arch-d] [Model-t] Possible new IAB program on Internet trust model evolution
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 09:54:34 -0000


Il 26/01/2020 10:44 Eliot Lear <lear@cisco.com> ha scritto:

They are, and they are hard to build, and they have their own failure modes.(*). But I really wasn’t going there, at least not directly.  Let’s look at three specific examples that I’ve mentioned:

1.  Train signaling system needs to be audited both live and retrospectively in the case of accidents.  This has to happen in such a way that the auditor sees precisely what was sent by one endpoint and received by the other.

2.  The case of “parent doesn’t want Internet toy to send video of child”, when the camera is undisclosed (it’s an analog to the privacy analysis on Alexa[1] and the now infamous NEST episode[2]).

3. CPAP machine or an AED/pace maker provide a control interface to the doctor but the patient or his next of kin wants the data.

Each example has a slightly different threat model, in addition to what you stated in 3552. In the first case, we add mistakes on the part of the operator (certainly the most common at this point**), and endpoint compromises.  In the second case, it is the manufacturer themselves that is the threat, for failing to have disclosed what they are doing.  

The third case is more difficult.  Let’s say a patient died.  Did the patient die (a) of natural causes, (b) due to a mistake made by the patient or a care giver at home, (c) due to a mistake made by the healthcare professional on the other end, or (d) due to an cyberattack?  It may be impossible for the next of kin to know if there is no network audit capability.  Yes, this is a messy case, which makes it a good one to explore.

The program can explore COMSEC, UX, and higher level issues as well, like economics.  That latter one is actually important because if in the end the use cases above are going to get trumped by economics on the part of manufacturers, what’s the point of specifying mechanism?   This also goes to another point about which the IAB has had concern: concentration and control points.  That can be explored as well here. This does look to relax the assumption you laid down in 3552 about endpoints, but I don’t think it dramatically changes things.
Part of the issue is, when you have to write "security considerations", what do you mean by "security". If that means "security of the protocol", I can see why you end up with a theoretical approach that defines the security of the endpoints as out of scope. However, if that means "security of the applications that will be built over the protocol", or "security of the users of the protocol", and if security includes privacy and data protection (or even human rights, as the people in HRPC would argue), then the scope becomes much broader. Given the desired focus on prioritizing end-user needs, the meaning should be the latter.

In that case, in the almost 20 years that have passed since RFC 3552, the scenario has changed significantly. For example, 20 years ago end-users were, at least in theory, fully in control of what ran on their endpoints, which basically consisted of personal computers; nowadays, most end-users access the Internet via smartphones, where their control is much more limited - and let alone IoT devices; both smartphones and IoT devices are categories of endpoints that did not exist at the time. 20 years ago there was no "cloud" or "edge computing", and even if the cloud is just someone else's computer, still the location of personal information over the network has significantly changed. 20 years ago the Internet was the Internet, i.e. a permissionless innovation network of networks where lots of people produced content and services even on a very small scale; nowadays, apart from email and the web, many of the most popular services consist of walled gardens, and even network infrastructure is remarkably centralised, not in topological terms but in terms of ownership and control.

I think that it would be good to discuss how these things impact the security of the user, and how they should be considered when writing new protocols. Perhaps, after the discussion, we could conclude that they do not affect protocol design. But I think that in some cases they could, and so the discussion would be useful.

-- 

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy

v2.23.0 | Report a Bug | By Email