[Diem] Re: [EXT] Re: Some high-level thoughts on scoping

[Samit D_CUNHA <sdcunha@icrc.org>]

Dear Mallory,

That’s an excellent question. Here are some of the things we’ve been working on:


  1.  Indeed, the technical development and legal/policy process has in a way been mutually reinforcing, but also co-dependent. We don’t advance on the tech without first consulting with States on their needs and requirements to digitalize the Red Cross, Crescent, and Crystal, as well as consulting more broadly with the movement of the RCRC (ICRC + International Federation of the Red Cross and Red Crescent Societies + the 191 national societies that are part of the federation today).
  2.  Last week, we held a technical meeting open to all States to formally present ADEM to them as a possible solution so we could receive feedback from them. We’ve consulted bilaterally with States in all continents of the world.
  3.  In fall of this year, we will hold a legal and diplomatic meeting open to all States to consider the various avenues for incorporation into IHL.
     *   One possibility is an amendment of the Annex of the First Additional Protocol to the Geneva Conventions. Article 98 of API says, in part, “…at intervals of not less than four years, the International Committee of the Red Cross shall consult the High Contracting Parties concerning Annex I to this Protocol and, if it considers it necessary, may propose a meeting of technical experts to review Annex I and to propose such amendments to it as may appear to be desirable… Amendments to Annex I may be adopted at such a conference by a two-thirds majority of the High Contracting Parties present and voting.”
     *   We have other formal proposals that we are discussing with States, including a possible new Protocol specifically for the digital emblem.
     *   There are other possible solutions too, e.g. what we call special agreements or unilateral declarations, for the DE’s deployment.
     *   The decision of States will, in part, rest of what the technical solution is for digitalizing the RCRCRC– and this is why we see the work of the IETF is so important for this process – truthfully, the ICRC doesn’t itself have the technical knowledge to develop this solution on its own. We are relying on a whole new group (for us) of stakeholders to try and solve this problem together and to be honest, are eternally grateful for the interest we’ve seen so far. The ICRC’s work with States is primarily confidential and bilateral, but looking at the geopolitical state of affairs today, it is hardly a shock to say that today, more than ever, the need for a digital RCRCRC is pressing.
  4.  This year is an International Conference year (https://rcrcconference.org/) The conference takes place once every four years. At this year’s conference, we are proposing a resolution to welcome the ongoing work on the Digital Emblem (see https://rcrcconference.org/app/uploads/2024/06/34IC-Draft-zero-resolution-ICT-June2024-EN.pdf, operative paragraph #11); there is one resolution for States and the Movement, and one only for the Movement (at a separate but related meeting called the Council of Delegates).

Hope this is helpful. Happy to discuss more in Vancouver. Thanks again for the helpful question. Best,

Samit


Samit D’Cunha
Legal Advisor





[cid:image001.png@01DACBED.2CD86DC0]

International Committee of the Red Cross
19, avenue de la Paix 1202 Geneva Switzerland

Email: sdcunha@icrc.org<mailto:sdcunha@icrc.org>



As societies digitalize, cyber operations are becoming a reality of armed conflict. Learn more about the Digital Emblem Project<https://www.youtube.com/watch?v=VpaXOAv3DpQ&ab_channel=InternationalCommitteeoftheRedCross%28ICRC%29> here!







From: Mallory Knodel <mknodel@cdt.org>
Sent: lundi, 1 juillet 2024 18:11
To: Samit D_CUNHA <sdcunha@icrc.org>; Felix Linker <linkerfelix@gmail.com>; Eric Rescorla <ekr@rtfm.com>
Cc: diem@ietf.org
Subject: Re: [Diem] Re: [EXT] Re: Some high-level thoughts on scoping


Dear Samit,

Thank you for that explanation. I hesitate to call it a metaphor when the task ahead is to explicitly digitalise an analog equivalent.

To that end, can you share more on the progress being made-- if any--  on the expansion of international humanitarian law to cover the digitalisation of the emblem? Ideally the technical and the legal efforts are in tight conversation with one another so that this effort is fit for purpose.

Thanks,

-Mallory
On 7/1/24 11:33 AM, Samit D_CUNHA wrote:
Hi Eric, hi Felix,

I just want to jump in on the red paint point – yes, you’re absolutely right, it’s ultimately “easy” to just paint red on your roof. That’s why the distinctive emblem (ie. red cross/crescent/crystal) was conceptualized from the start as needing to be strictly regulated by States under international law.  In some ways, it was the impetus for establishing what we refer to today as International Humanitarian Law. States are required for example to suppress violations or misuse of the distinctive emblem. Certain misuses of the emblem (for example using that red paint to paint a red cross and mislead the adversary to then kill or injure them) is a grave breach of the Geneva conventions; a war crime.

I can’t yet say how this translates into cyberspace, but within the context of conflict, to take this metaphor further, misuse of the emblem is not suppressed by regulating red paint. Anyone has access to red paint. It’s by regulating red painters.

For this and other reasons, for the digital emblem to actually be used during armed conflict, it would of course need to either be incorporated into international law, or deployed or operationalized through some diplomatic process, which is the part of the project that I am leading, in consultation with States and other stakeholders.

Cheers,

Samit

PS. I’m  not able to follow all discussion here – if anyone has any substantive questions on the law, on the distinctive emblem, etc., please do feel free to reach out to me directly!


From: Felix Linker <linkerfelix@gmail.com><mailto:linkerfelix@gmail.com>
Sent: lundi, 1 juillet 2024 15:30
To: Eric Rescorla <ekr@rtfm.com><mailto:ekr@rtfm.com>
Cc: diem@ietf.org<mailto:diem@ietf.org>
Subject: [EXT] [Diem] Re: Some high-level thoughts on scoping

CAUTION: This email originated from outside the ICRC. If you can't recognize the sender, avoid clicking links or opening attachments. In case of query, please contact the ServiceDesk.

Hi Ekr,



On 1 Jul 2024, at 15:17, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:



On Mon, Jul 1, 2024 at 6:09 AM Felix Linker <linkerfelix@gmail.com<mailto:linkerfelix@gmail.com>> wrote:
Hi Ekr,

I wanted to quickly jump in and discuss point [0].

I think there is a significant risk associated with unauthenticated emblems. It could turn out that they are distributed in bad faith so often that people would stop paying attention to any emblem. The signal-to-noise ratio would be simply too low.

Well, that's also the case with the red paint, no?


In the digital world, it’s (in general!) much easier to claim that „I didn’t send this bit string!“, whereas in the physical world, if I painted a Red Cross on my balcony, I’d have a hard time explaining to the police that I didn’t put it there. Probably, some law would require me to do my due diligence of guarding my property and removing illegal things.

I added „in general.“ Of course, if emblems were distributed solely by authenticated channels like TLS, then this would change the argument. But I doubt that all use-cases can be addressed by TLS (to be discussed at a point where we decided on the problem to solve).




Nevertheless, I think that anyone should be able to deploy emblems. This is why we aimed to provide accountability with ADEM. We require parties to bind their signing keys to their domain name in a non-repudiable way. So you at least put your domain name at stake when distributing fraudulent emblems. Such emblems in some sense are unauthenticated (they don’t like back to a „root CA“), but they still can be authentically associated with a domain name.

Thanks for the explanation. A few thoughts:

1. This seems like a rather narrower goal than that which ADEM seems to embody. As I understand ADEM, these certificates also contain endorsements from third parties (e.g., ICRC). Presumably, this is intended to embody authorization to display an emblem, not just after the fact punishment.
2. "Non-repudiation" is a technical property, but it's not clear to me that it's really required for after the fact accountability. We fairly routinely attribute people's online behavior to them based on much weaker non-cryptographic evidence.



  1.  That is true! There are two concepts to distinguish. What makes a valid emblem under, e.g., the ADEM specification, and what makes an emblem that many people will find trustworthy (i.e., they won’t attack an asset marked with such an emblem). The ADEM spec permits you to deploy emblems without authorization, but it recommends that you do not and also add endorsements from third parties (in order to be more trustworthy).
  2.  Yes, I see your point. Worthy to be discussed once a problem scope has been decided.

Best,
Felix



-Ekr



Best,
Felix



On 29 Jun 2024, at 23:32, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

Hi folks,

I've been reading the mailing list and wanted to offer some high
level comments.

PROBLEM STATEMENT
We have two problem statement documents here which seem to have
different ideas of what the problem is. I would characterize
these as:

- Port emblems from the physical to the digital domain (draft-linker)
- Improve on the security properties of physical emblems for physical
  objects by digitizing them (draft-haberman)

These seem like quite different objectives, made more different by the
assumption that both PS documents seem to make that the digital
emblems have to be hard to forge [0]. For instance, the mechanism
described in draft-adem-wg-adem-core-latest ties the emblem to some
network identifier for an element (the IP address or a domain name),
but this does not transfer in an obvious way to physical object.

The emblem being physically attached to the object doesn't really help
here because the attacker might copy (if it's copyable) or move the
emblem (if it's uncopyable, though of course this is quite hard to do
while also having it be cheap) I see that in
(https://mailarchive.ietf.org/arch/msg/diem/-5sgtyo8hbCq7rLEDRVPZb8krMQ/)
Bill Woodcock observes that the emblem might carry various attributes
about the physical properties of the asset, but this seems like
a much weaker form of binding as there are going to be a very large
number of assets and the ability to positively identify each one
by properties such as size and mess will necessarily be quite limited.
Even ignoring everything else, just specifying the parameters one
would use in order to provide such a binding between emblem and
object seems challenging, and not really something that the IETF
is well suited to address (how does one distinguish between a pile
of more or less identical looking 40ft shipping containers?).


ARCHITECTURE
Conceptually, it seems to me that there are at least four technical
problems to solve:

1. The information to be conveyed about the asset (e.g., "This is a
   hospital").

2. The binding of the information to the asset (e.g., "this asset
   has this IP address" or "this asset is a crate with the following
   properties")

3. How the information is delivered to the verifying party.

4. How the information is attested to (e.g., the trust hierarchy).
   Obviously, if we decided not to authenticate the information
   we wouldn't need this.

My sense is that while (1) and (4) are potentially common to both the
digital and physical domains, (2) and (3) will necessarily be
quite different. For instance, draft-adem-wg-adem-tls specifies
a binding of ADEM to TLS in the NewSessionTicket message, whereas
in the context of physical assets I've heard people suggest
QR codes or RFID tags [1].


NEXT STEPS
I see that there is some debate about whether we need to address the
physical domain at all. I don't have an informed opinion on this
topic, but based on the above it seems to me that (1) the digital
domain is going to be quite a bit easier and (2) there is a
well-identified stakeholder (ICRC) which wants to do it and is
participating on this list. To that end, I think it's worth
considering whether it would be best for a potential WG to
start by trying to address the digital domain and then consider
expanding scope once the easier problem is well understood.

-Ekr


[0] I actually think this assumption deserves some examination.  There
aren't really any technical mechanisms that stop me from painting a
red cross on a military target. Rather, there are legal restrictions
on doing so. It's not entirely clear to me from reading the
various documents people have pointed to why that's insufficient in
the digital domain. It would certainly be much easier to design
a system like this if it just allowed for unverifiable claims
about the protected status of some asset.

[1] I'm not sure if RFID tags can be covertly verified.
_______________________________________________
Diem mailing list -- diem@ietf.org<mailto:diem@ietf.org>
To unsubscribe send an email to diem-leave@ietf.org<mailto:diem-leave@ietf.org>


________________________________

The ICRC - working to protect and assist people affected by armed conflict and other situations of violence. Find out more: www.icrc.org<http://www.icrc.org>

This e-mail is intended for the named recipient(s) only.
Its contents are confidential and may only be retained by the named recipient(s) and may only be copied or disclosed with the consent of the International Committee of the Red Cross (ICRC). If you are not an intended recipient please delete this e-mail and notify the sender.

________________________________



_______________________________________________

Diem mailing list -- diem@ietf.org<mailto:diem@ietf.org>

To unsubscribe send an email to diem-leave@ietf.org<mailto:diem-leave@ietf.org>

--

Mallory Knodel

CTO :: Center for Democracy and Technology

newsletter :: https://internet.exchangepoint.tech
===============================================================================
The ICRC - working to protect and assist people affected by armed conflict and
other situations of violence. Find out more: www.icrc.org

This e-mail is intended for the named recipient(s) only.
Its contents are confidential and may only be retained by the named recipient
(s) and may only be copied or disclosed with the consent of the International
Committee of the Red Cross (ICRC). If you are not an intended recipient please
delete this e-mail and notify the sender. 
===============================================================================