IETF Logo Mail Archive

Re: [E2ee] Thoughts on draft-knodel-e2ee-definition

Olaf Kolkman <kolkman@isoc.org> Thu, 04 November 2021 07:52 UTC

Return-Path: <kolkman@isoc.org>
X-Original-To: e2ee@ietfa.amsl.com
Delivered-To: e2ee@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 515D43A0A3F for <e2ee@ietfa.amsl.com>; Thu, 4 Nov 2021 00:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIHQe8saOLRq for <e2ee@ietfa.amsl.com>; Thu, 4 Nov 2021 00:52:35 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2065.outbound.protection.outlook.com [40.107.243.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2AB93A0A3E for <e2ee@ietf.org>; Thu, 4 Nov 2021 00:52:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T1DmfLpJQSrJU8ua3e67683CDUh+RALrgoN5LidM0TeTCh2MsOAuecSvz1deiI/SkDQz8XozawAUGEnRmGMxIAlnuQZXtfS5ANpgzmeqcPLMZGG3HY+cnQCZkBxemSlqTzM/6o0Ee6vA5XpROUiCzWUM1JzNp9su+2pzauweYNqcy7eMwGZnmrWNCIFCtfkB53n6tQELG2cWQdaC8xIGSmNws4JGUEBnUXkhVTsIQfUtEUjiJljuogftIy5hcmJo163Z5pl3mSmHHYg2F0P4o6mVrKtbdUiyEmmd8WHrQjtU0+OM2cMuR4FnTevxui/uHgdnLX2EtCmNl95CIvPgpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=T0nHmj8+IJQAmQuXFs/lURZaBBgclwtRhKGUIEvh1ZA=; b=Pm5MJk0SG4ml9VmjNRVXN3h4W2z7DlKQWiUmVRgGhw5pgGKyJWvZ2gB7w+VU4WyhX4MECzpUyYEXTt8veQ6O86FYzY6n5O0R/axJ7Kd7T8ajfPVhzYo2tpBrARX38pJgw8NAlaNmjgovLU92FmGn4fCwPAQc6dwAmqKuaYHLzz+HAPFlkzMYHtwU3DOiKhPCiWynCEt8/h0Uc54ozM7bcCzcBypRY7PHUgsec8xZhKVl1yF4sZ7MpphSFKIMZNMXy6RLhEPiPqG3y/tztJmLLsCVQuDNLDeRj97V34dEf72FTer18swRQWIwJS+3bOTPHbZlxGiMTNGMOwiuO4q++g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isoc.org; dmarc=pass action=none header.from=isoc.org; dkim=pass header.d=isoc.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=T0nHmj8+IJQAmQuXFs/lURZaBBgclwtRhKGUIEvh1ZA=; b=azNu4mmYcdSCY6pXToLre1FReO3lohgCsxBNbeKjDTBZSkByGsNfS1DmaaYwJSI7g6TmYews0fDDQFs1LXmxmR+B5w6pJXTgyEFyJU9hc7NQO3s468f89LQBV8WMnwFbByltOuQLYpZyqIRgK2ecUIhojZcVDN0PiRC27eXy/c8=
Authentication-Results: cdt.org; dkim=none (message not signed) header.d=none;cdt.org; dmarc=none action=none header.from=isoc.org;
Received: from BY3PR06MB7955.namprd06.prod.outlook.com (2603:10b6:a03:3b6::7) by BY3PR06MB8099.namprd06.prod.outlook.com (2603:10b6:a03:3ca::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10; Thu, 4 Nov 2021 07:52:27 +0000
Received: from BY3PR06MB7955.namprd06.prod.outlook.com ([fe80::c32:56b9:d50f:4209]) by BY3PR06MB7955.namprd06.prod.outlook.com ([fe80::c32:56b9:d50f:4209%5]) with mapi id 15.20.4669.011; Thu, 4 Nov 2021 07:52:27 +0000
From: Olaf Kolkman <kolkman@isoc.org>
To: Mallory Knodel <mknodel@cdt.org>
Cc: e2ee@ietf.org, Adrian Farrel <adrian@olddog.co.uk>
Date: Thu, 04 Nov 2021 08:52:14 +0100
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <AF2E748D-00FC-4627-85B3-A45DBE910814@isoc.org>
In-Reply-To: <82e7cf51-e53c-f01f-ffc3-db4d8197032a@cdt.org>
References: <0311a1ff-8ff9-d50f-db51-b6a4ca5e521c@cdt.org> <82e7cf51-e53c-f01f-ffc3-db4d8197032a@cdt.org>
Content-Type: multipart/alternative; boundary="=_MailMate_2CBCDC99-F788-4063-A4DB-07FE65612334_="
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: HE1PR0701CA0064.eurprd07.prod.outlook.com (2603:10a6:3:9e::32) To BY3PR06MB7955.namprd06.prod.outlook.com (2603:10b6:a03:3b6::7)
MIME-Version: 1.0
Received: from [10.13.13.5] (185.238.128.91) by HE1PR0701CA0064.eurprd07.prod.outlook.com (2603:10a6:3:9e::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.5 via Frontend Transport; Thu, 4 Nov 2021 07:52:25 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6b4bec64-c7d2-4bbe-6356-08d99f680bbe
X-MS-TrafficTypeDiagnostic: BY3PR06MB8099:
X-Microsoft-Antispam-PRVS: <BY3PR06MB8099D592B32B1EDB286483CAD98D9@BY3PR06MB8099.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ON9LcxeJ8I+ZDpMLeQoSOLaNnprzRhcYe0MyqGgZdPy7g+tAGNkA9sGnVTe2WZLXEJJUB86TnFZtOay2wSCH0hckp9GUu9QFSrAqm3J4eceRpVOFI7uXb/QRDhGQx5LJNc7TFq0dKjTHAlDaeIbM9EHDqEjGAT4Yiso8rsLhKQQv+1X83MjdNpuhRIDP1ccbJiQzRMlBgHgHSFpa0epfZV4K3VofLARAwn59B8JqZ2nJILICsvIdQOoYGlLuXyizldQITRZ1oitH7b8GLmqguLy/q4DQOb+tUjRMBbHTx+x00SJJGMCM0i+0tV6aXJSzsFSPYUmv06w6sWahMWqfKhhHjh5RttXhb8mWZO7EhxxObYDYUynIlsRBugYijV5Q8YY2Dzx6xXVVYa9kl2B4QK9oCuBkK4/6oBp4cXu0HWpusDwzemSYfJHPXnfoR4lCwiEliCZwC30dbiG8A+VxT7xHcyhvH+7Eye2QE9IcG1n2ZY+wUaWASdYD8cgMkGyvorqbREHbArnwoXrgJG/IDauiBKHboDdYBd+PXVAniVMJd+N2PdYiIIBdKiicCf2eoZi4bzcroNITXF4zWm1INQUbkKcr1mLlgqjEG29pjzdhWx6YjUi2H+gsDVjhPWIsSxtcLMLg5LRdKHZ1+w6AQSGaYu5eqb59b4TJfWlBzBb2st0aUZnNCdvLtJbkJEDAERtAm97ssaMhGCX10tLegip+TAMMZjtSep2tTzfqZDjKfcpryJaM4k1v0AemvckgKDDlOKL3gqGtVDy/ZRpmsA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY3PR06MB7955.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(66574015)(83380400001)(8936002)(52116002)(38100700002)(86362001)(508600001)(4326008)(33964004)(8676002)(26005)(5660300002)(38350700002)(33656002)(6666004)(6916009)(53546011)(186003)(66476007)(956004)(66556008)(36756003)(2616005)(66946007)(16576012)(2906002)(6486002)(316002)(72826004)(45980500001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: v3uZRdXQkFkT6+UGAaKfkdcFmVCDJkozDpMiGLH2fJE4kcZ4Rb85pQduVEShNcO26Nvow7nQ2p90c7MZfmWMXQrR09dIflKJK8YqSVa78QKeKFOqBXFv9/KBkMF2W6exWrNrnHs5mOR3Koh8CS/XzTi3QgJaWczVefeupdHd6YuKPXchZVO3nSL1gZtGA1aoHS6MlXZCP1w7nN7bv5EKGt/x4gYMpYvh6BEvRezpSiETWV4EXXHD9k1HZc9Jk5d90w3XbmOX5UATKLZgWrka3ywFLHg9lLHiDNgl5CfMQHpMwBu5N2uz0nFoevOxqjP/LLL5tMqyy5yqegm6gLBwm/rsnAIU8/kJAeYKwR4juC1o4vMnnRzmYxlzswzkAo1Sx2gego5LIPuXnIj/zOWhKRBNYxtY4Amc99tJtP6lfG8o+ljBzYdh/Im1Mkme7rFZU+RY2FNstJ91BtJNDNyYiskRslqm5xAkWmkL1yY+GWfYxxTHaOt3EzxyJjMwFN0cShSdLl5FL4hqrMSwn0BHMJKQ/NF9ftL256geczJH6mp9ddq09KBJwlfuBkkxPoBMAvHvDWlxcxxP+XF1R6ecbNN8LOQFo+d0xLj6Fqhw/vAQsQqOWpo9f/FdXh8FN7x9j+cf5jx8GVptk3I9UEeezm1+2lnRyshw/+Fm48M5Sp15nIhTJzdjUGNBBmJQgG+whCPqQGvMCYToThejW1zf3BF2LJGJ84knOk6OPtCNMW3JrKgI7ZpHwI5ZidM6jPDYUfSsQhMbC40R8fowR7tCr7gIsgyDo3Xzfezt5g9dPPh5iCa9QW2b/sSem1tJe4qJoa1wWAXFcCFiNpKV/8TmNe23REjT71kuUFO81V4Vn75F6AoZUYj5b15gInU4aQIbspqf9246oek1XUK1ZwBOKP6KVlf15p/KP0PtDOwZ81j0w9eg1Xi6dubUTOXl/x3t3ICHOcDlBdNWO5VWCTgIzAfNKcXhkZIeL0CyANL9go9Xg6umrEmVTXI9pbKYSxzbPR8dalXTfsvt+zpWK9vZFUHPwj3iIR7KMO3DxhfmU7hoY9D8nFnpm3A8tJ4yXDRI36JutZqfnYnKG9X7dfEG3lMs8nRTm//ox2mmx4RB0AH5yB0WOdJ4sTsHemnhZcQ8k7M5A1hqWNtUnxHkBdoJOgHc1ArnYKXvK32yyhhSusSubaERoE78aEaRqCklMJo72UcXNhHKhH01j+lB7OXSgMpvcMBZ9WXr5ISfbMkbouWEAR3yeJNoZR/INDn9sQooopZAsvMafIEQ0bJfzn10KSstjaBsvrlZqXoiVR4bySb3vbA1ROMgLzqEzFEKNTjzXVyruWjrMSr1otlvcewQZliZH/G9FsIMJ85J7CF/u0CMCnyuJZQ7VuVpXJN68raRV+nB356Q/ayy7wAbqvjkXxerAdml3TTZ62hpyu0zkgfOH9V+6WlLgfDPiITQoFvKiEWIs9GiS8pvkmwJ8uwakErEtH4B0SmvUxY6Z3o08tsoN95nYooiHSRuhCmcRkfEmbMWMmBzk9yiLS3hyr4tUDLgVinEIxUFmhGZht6Hi3twxy7zBCbKkvJqV4M8cD+kAHIeYG3fdTBc3p/I4az0jOPrtjH+Mb1E5SLnLBD4uLI=
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 6b4bec64-c7d2-4bbe-6356-08d99f680bbe
X-MS-Exchange-CrossTenant-AuthSource: BY3PR06MB7955.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Nov 2021 07:52:27.5054 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 4mTidtATRkm40YLYwgqbzWVg0cKorWyAdgj5gmuTCLN/6oWmk6aiokIu6PnCMFHJGUUKSGWq+xtL29gVYevzgA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY3PR06MB8099
Archived-At: <https://mailarchive.ietf.org/arch/msg/e2ee/iGQbtmwe0OJV_WFf5W-qtbGw5dI>
Subject: Re: [E2ee] Thoughts on draft-knodel-e2ee-definition
X-BeenThere: e2ee@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of the definition of end-to-end encryption." <e2ee.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/e2ee>, <mailto:e2ee-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/e2ee/>
List-Post: <mailto:e2ee@ietf.org>
List-Help: <mailto:e2ee-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/e2ee>, <mailto:e2ee-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Nov 2021 07:52:39 -0000


On 19 Oct 2021, at 17:35, Mallory Knodel wrote:

[…]
>> 2. You are, I think, missing the concept of tunnels. Tunnels have 
>> ends.
>> Tunnels are used to carry trusted traffic over untrusted 
>> environments.
>> Tunnels have "users" that are normally processes. Encryption on 
>> tunnels is
>> hugely important to how the Internet works. Now, that may not be what 
>> you
>> want to talk about in your document, and that's OK, but the feel 
>> (partly by
>> you talking about end-to-end, and partly by the long preamble about 
>> BGP in
>> 2.1) is that it is in scope.
>
> Wondering if Fred or Olaf could jump in? I think I would say tunnels 
> are indeed out of scope because it's transport encryption, but you're 
> right that we talk about BGP. It's only in an attempt to elucidate the 
> end point and e2e principle.
>
> Thoughts from my co-authors on squaring this circle?
>

I think you can reference tunnels in section 2.2 as a negative example.

For instance (addition in italic)

These end points may then be considered acceptable sub-identities 
provided that no path between the end identity and sub-identity is 
accessible by any third party.  _For instance, the common VPN business 
model whereby a TLS or an IPsec tunnel terminates at a VPN service 
provider from which the traffic is then forwarded to its destination 
does not qualify_.


—Olaf

v2.23.0 | Report a Bug | By Email