Re: [icnrg] Vessel Container Format
"David R. Oran" <daveoran@orandom.net> Thu, 10 November 2022 19:26 UTC
Return-Path: <daveoran@orandom.net>
X-Original-To: icnrg@ietfa.amsl.com
Delivered-To: icnrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BD96C14F728 for <icnrg@ietfa.amsl.com>; Thu, 10 Nov 2022 11:26:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=crystalorb.net header.b=LuGpSE/U; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=crystalorb.net header.b=Fa6P5oCm
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xWl7jUzxSII for <icnrg@ietfa.amsl.com>; Thu, 10 Nov 2022 11:26:42 -0800 (PST)
Received: from crystalorb.net (omega.crystalorb.net [IPv6:2600:3c01:e000:42e::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A991C14F733 for <icnrg@irtf.org>; Thu, 10 Nov 2022 11:26:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crystalorb.net; s=mail; h=Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:From:Sender:Reply-To:Subject:Date: Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=iuXsGwb6Dwim10oCOwcqkv97jUi/Ugf7vzXtQfb9e7Y=; b=LuGpSE/UJXKJ3GmIwKXePxagSD Tho2rGgHgsg3TYhk6RYzW3o8JUDRrWWVRh+LWq3iYWQkNT9I1wJmjLfhf/aexWta7MlLkzAOEQdeL Jg9TH7rO/2r2mcq+VUFpTe9wzFCxyMNbfmN5l77jicjBAr3ArwXZFFS/vXTAZ0U9Zcr4=;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=crystalorb.net; s=omegamail; h=Content-Type:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:From:Sender:Reply-To:Subject: Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=iuXsGwb6Dwim10oCOwcqkv97jUi/Ugf7vzXtQfb9e7Y=; b=Fa6P5oCmST+FPxKbmsA4eDfmJA 9IRkIkmXo4osQtlXZUIjuCAEXAlUQJcpscom+igrkcJdt2Tf6NkIMf/+5sBg==;
Received: from [2601:184:407f:80cf:19eb:eda6:8524:f975] (helo=[192.168.15.242]) by crystalorb.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <daveoran@orandom.net>) id 1otDAd-00EgdQ-3b; Thu, 10 Nov 2022 11:25:03 -0800
From: "David R. Oran" <daveoran@orandom.net>
To: Jens Finkhaeuser <jens@interpeer.io>
Cc: ICNRG <icnrg@irtf.org>
Date: Thu, 10 Nov 2022 14:26:37 -0500
X-Mailer: MailMate (1.14r5926)
Message-ID: <044C4C1E-87B7-45D3-A5C6-F94A3657EDB5@orandom.net>
In-Reply-To: <-k8uPW5PEPBYD_TwxvsfIgxKhhv5DvtOiAVeef52DGc5QRzjQBAANyBXQ_CibQNHVHSEJOEyJBA0LSBusP9y6jS0xc-uCVQZrTqCEyz5H-0=@interpeer.io>
References: <-k8uPW5PEPBYD_TwxvsfIgxKhhv5DvtOiAVeef52DGc5QRzjQBAANyBXQ_CibQNHVHSEJOEyJBA0LSBusP9y6jS0xc-uCVQZrTqCEyz5H-0=@interpeer.io>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_0D4150D5-B89B-4D8F-8567-BE16A1B702EC_="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-SA-Exim-Connect-IP: 2601:184:407f:80cf:19eb:eda6:8524:f975
X-SA-Exim-Mail-From: daveoran@orandom.net
X-SA-Exim-Scanned: No (on crystalorb.net); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/icnrg/KJLy2s5HgFiTFRs1e4TR_DUmH1M>
Subject: Re: [icnrg] Vessel Container Format
X-BeenThere: icnrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Information-Centric Networking research group discussion list <icnrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/icnrg>, <mailto:icnrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/icnrg/>
List-Post: <mailto:icnrg@irtf.org>
List-Help: <mailto:icnrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/icnrg>, <mailto:icnrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2022 19:26:46 -0000
On 10 Nov 2022, at 4:14, Jens Finkhaeuser wrote: > Hi, > > after my presentation on Tuesday, one question was raised that I feel I did not respond to satisfactorily, which I would like to address now: why focus on deletion so much? > > There are two answers. > > 1. It's the law. I am not a lawyer, of course, so the actual legal interpretation of such things remains to be seen. But I would doubt that when faced with someone legally requesting the deletion of PII, a judge would look kindly upon an answer that is effectively "I forgot I have it". The exact measure of "reasonable effort" is not up to me, but I think a slightly better answer than that is going to be required if such a thing is tested (I recall similar arguments surrounding the notion of legally copying IP-protected data). It’s in my view a fools errand to make a protocol design / architecture way more complicated and less resilient to pursue a property like deterministic deletion that cannot in practice be achieved. The law on this will eventually catch up, as it has in other similar areas, like how “fair use” restrictions used to prohibit caching of copyrighted video (in Germany), and forced “cloud DVR” systems to keep a physical copy of recorded content per-user and not de-duplicate (in the U.S.). The actual legal property that’s needed is to ensure that no system holding the physical bits also holds the decryption keys. This is quite hard, of course, but at least not completely infeasible as would be tracking down and blasting all the copies of the bits using secure erase (so they can’t be recovered from discarded media). > 2. Relying on cryptography assumes everything working well, until the cryptographic solution fails, at which point all bets are off. That’s right. All bets are off if the cryptographic system fails. Not just deletion but many many things that are a lot more damaging. Of all the things to depend on, crypto is probably the least likely to have catastrophic failures. The failures we’ve seen have been primarily in the implementations, particularly of the key management. What leads anyone to believe that the implementations of deletion by secure erase would be any less susceptible to error? > But there are plenty on scenarios that are not that binary. Specifically, it is not guaranteed that a malicious party that comes into possession of a compromised key does so after already having received encrypted content blocks. In such a scenario, of course, deletion does nothing. Correct. > But in a more opportunistic scenario where the malicious party requests content only as a result of having acquired a key, deletion can protect against leaking of sensitive data. Such mitigation also relies on a specific sequence of events (deletion to occur before requesting), but this sequence is far from improbable. If you can throw away the content, why can’t you throw away the key? While the fundamental problem is recursive (the keys are themselves data that needs to be deleted) dealing with keys is in many ways easier: - many fewer bits - held in secure enclaves that unless compromised by implementation errors, can expire keys in a timely fashion and require that they be refreshed. - depending on keys protects better against zombie failure modes where some cache or other repository goes offline for a long time (e.g. longer than the key lifetimes) and then comes back online way after the state you kept to enforce deletion has been itself thrown away. (Funny historical reference: on the 20 or 30th anniversary of the ITS timesharing system - I forget which - somebody booted up an old backup and emails that were in the send queue when it was shut down went out!). - > > > In summary, I consider it somewhat negligent not to include deletion as a first class problem into ICN solutions, but YMMV of course. I respectfully disagree. I do not think that rapid enough content deletion is in practice achievable and adds a non-trivial amount of complexity to the system which increases the probability of other more serious failure modes. > > At any rate, thank you very much for this feedback! At minimum, it's become clear that I need to stress these points in the draft. > > Jens > _______________________________________________ > icnrg mailing list > icnrg@irtf.org > https://www.irtf.org/mailman/listinfo/icnrg DaveO
- Re: [icnrg] Vessel Container Format Jens Finkhaeuser
- Re: [icnrg] Vessel Container Format David R. Oran
- Re: [icnrg] Vessel Container Format David R. Oran