Re: [ietf-privacy] draft-cooper-ietf-privacy-requirements-00.txt
Robin Wilton <wilton@isoc.org> Tue, 24 September 2013 14:34 UTC
Return-Path: <wilton@isoc.org>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 080C511E813F for <ietf-privacy@ietfa.amsl.com>; Tue, 24 Sep 2013 07:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.133
X-Spam-Level:
X-Spam-Status: No, score=-103.133 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mkqmh8S1tqXQ for <ietf-privacy@ietfa.amsl.com>; Tue, 24 Sep 2013 07:34:19 -0700 (PDT)
Received: from smtp180.iad.emailsrvr.com (smtp180.iad.emailsrvr.com [207.97.245.180]) by ietfa.amsl.com (Postfix) with ESMTP id 52C0E11E8122 for <ietf-privacy@ietf.org>; Tue, 24 Sep 2013 07:34:19 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp28.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 2A714E059A; Tue, 24 Sep 2013 10:34:17 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp28.relay.iad1a.emailsrvr.com (Authenticated sender: wilton-AT-isoc.org) with ESMTPSA id 76BE1E059D; Tue, 24 Sep 2013 10:34:16 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/signed; boundary="Apple-Mail=_AA252EAB-9D11-4E55-BE1D-87918B87733D"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Robin Wilton <wilton@isoc.org>
In-Reply-To: <52418DE3.6040806@cisco.com>
Date: Tue, 24 Sep 2013 15:34:36 +0100
Message-Id: <3D577464-7390-4EE3-AC7D-A593AC283EDD@isoc.org>
References: <52416C71.9000903@cisco.com> <524170C2.4080306@cs.tcd.ie> <20F43E57-4FD2-44C6-9399-9CC26D1B7457@isoc.org> <52418DE3.6040806@cisco.com>
To: Eliot Lear <lear@cisco.com>
X-Mailer: Apple Mail (2.1283)
Cc: ietf-privacy@ietf.org
Subject: Re: [ietf-privacy] draft-cooper-ietf-privacy-requirements-00.txt
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2013 14:34:24 -0000
Thanks, Eliot… I suspected we were probably all pretty well aligned - I just wanted to draw out that point about explicit vs implicit requirements, rather than disagree with you. Especially about the contents of related RFCs, where your expertise far outstrips mine. ;^) R Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: wilton@isoc.org Phone: +44 705 005 2931 Twitter: @futureidentity On 24 Sep 2013, at 14:04, Eliot Lear wrote: > Hi Robin and Stephen, > > On 9/24/13 1:31 PM, Robin Wilton wrote: > >> I tend to Stephen's point of view here. Two parties cannot "bootstrap" a TLS session out of nothing. Even if the person on the client side apparently does nothing, at the time, to establish an encrypted rather than unencrypted session, there are pre-requisites that have to be in place (i.e. pre-arranged). > > Although he may not recognize it, I support Stephen's point of view as > well. I just don't think the document he cited does ;-) > >> >> This may seem like a nit-pick, but I have reasons for drawing attention to it, and TLS is a good 'case study'. What I've observed in PKI is that there's an inverse relationship between adoption volumes and the extent of functionality exposed to the user. Put bluntly, if you want PKI to scale, keep the user away from it. > > While I have tended to agree (it's a bit of a corollary to what I argued > in Section 5.4.1 in RFC 6837)... > >> At one level, there are sound reasons for that: if you leave it up to users, few can be bothered to fiddle with security settings, so the technology goes unused. However, there are also risks: the more you insulate the user from the realities of securing online interaction, the less likely they are to care whether it's happening or not; and, of course, the less likely they are to know if it is not happening at all. > > Indeed. Serge Egelman did some related research on this, involving a > popular mobile operating system.[1] >> >> So, I wanted to draw out this aspect because deployments in this area have to satisfy quite tricky, but implicit, requirements. Users need information that is reliable (a little padlock icon is not useful if it can easily be spoofed) and usable (too much detail scares users away; too little means they can't make informed decisions if necessary). This means we may have to design systems that *appear* opportunistic (such as establishing a TLS session with no apparent, explicit action on the part of the user) even though they may actually rely on a good deal of prior work to put the pre-reqs in place. >> >> Bottom line: we probably need to think carefully about how we define "opportunistic". >> > > And that's where I was heading. Moreover, nobody should take their eyes > off the prize when it comes to authenticate encryption. And that's why > the authors of RFC4432 didn't go there. > > Eliot > [1] http://www.guanotronic.com/~serge/papers/soups12-android.pdf
- Re: [ietf-privacy] draft-cooper-ietf-privacy-requ… Stephen Farrell
- Re: [ietf-privacy] draft-cooper-ietf-privacy-requ… Robin Wilton
- [ietf-privacy] draft-cooper-ietf-privacy-requirem… Eliot Lear
- Re: [ietf-privacy] draft-cooper-ietf-privacy-requ… Eliot Lear
- Re: [ietf-privacy] draft-cooper-ietf-privacy-requ… Robin Wilton