Re: [dane] [saag] Need better opportunistic terminology

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hiya,

On 03/12/2014 09:13 PM, Michael Richardson wrote:
> 
> Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>> On 03/12/2014 08:47 PM, Michael Richardson wrote:
>>> The part that we are all discussing is determining how (much)
>>> to trust the DH results.
> 
>> I don't think that's a very accurate characterisation to be
>> honest.
> 
>> I think the most relevant (but intertwined) factors are:
> 
>> - trading off ease of deployment vs. endpoint authentication -
>> trading off protection against passive vs active attack - better
>> separating key exchange from endpoint authentication so that
>> traditional authentication or TOFU or whatever can be used before
>> during or after key exchange
> 
> But, you made my point.

Well yes and no, we're agreeing and almost but not quite
discussing the same things I figure, let's see if that
continues... :-)

> While the end user sees the overall benefit is: my traffic can not
> seen
> 
> The problems and challenges that we have are not in how or even
> when to apply AES,

Agreed.

> it's how/when to do the DH.

"How" to do DH is pretty much the same everywhere or at least
the diffs are not relevant for a generic terminology draft.

"When" is I think as-soon-as-you-can (modulo amortizing DH over
multiple "sessions" or similar).

I think our challenges are not in when to do DH but in how that
relates to when we might do what forms of endpoint authentication
(or none) and the consequences of each of those options.

That's why I think a generic terminology draft will be useful, as
there are lots of potential combinations. Naming each (or whatever)
will make it easier for protocol developers to argue about what's
suitable for their particular environments.

For example, in the limit, I think it'd be worth thinking about
whether a post-facto MITM detection protocol perhaps run a day or
two later might have value. That'd be more of a research topic
really, but could still represent a form of useful endpoint
authentication even if it only detected a MITM with say a 1%
probability. Think of Alice and Bob depositing a witness pair
derived from the DH secret and some HASH(shared-info + application
traffic) some place(s) so someone (else) could detect if there
was a Charlie in the middle. (BTW: I'm not sure such a useful
generic protocol exists, but it'd be fun to work it out.)

> To the end user, having the word "encryption" in the terminology is
> useful because it tells them why they should pay attention to it.

Good point. Maybe that's why folks keep coming back to OE
as a term.

> 
> To us, it's a red-herring, because it's not where the issue is.

Also true.

Cheers,
S.

> You listed the issues.
> 
> (BTW: my TLA cache is failing on "TOFU")
> 
> -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software
> Works -= IPv6 IoT consulting for hire =-
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJTINXHAAoJEC88hzaAX42iuwsH/jG+Iny/Ae5cEJblR09CD9CE
oPhLIMQM6eFBHiFFkz185XilNgyCUuWlAsGSEAMxNybKwZmpChf52ljhEXgE7Vx8
ULDHW8NadWp6O6V2CXie4vQM3ZAW58sgGRCqtejja3R2+DrKxgqi5gnWNxOYLt45
fzXjZYwZ1njlKPV1iLkAwrhLMj8HYOd005CNwW4owL746SV95AroZU316VfVVvB/
ehoLCHINcFJ32mFoPynPQwY/oSL89UWhSzswnkNljSC1R9dYs+eX/mEkBgFC/0Am
EptcQZ0IwS5nBf4IwWi9V2wD+phS9zMAcOhpT7oJPzguZhChF/ziVH0NwYGsibg=
=32vZ
-----END PGP SIGNATURE-----