Re: Transparency in Specifications and PRISM-class attacks

Harald Alvestrand <harald@alvestrand.no> Fri, 20 September 2013 13:10 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66F8A21F9611 for <ietf@ietfa.amsl.com>; Fri, 20 Sep 2013 06:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.411
X-Spam-Level:
X-Spam-Status: No, score=-110.411 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cbHyG7SCbCZl for <ietf@ietfa.amsl.com>; Fri, 20 Sep 2013 06:10:36 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 26FC821F9477 for <ietf@ietf.org>; Fri, 20 Sep 2013 06:10:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 4721E39E115 for <ietf@ietf.org>; Fri, 20 Sep 2013 15:10:34 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdKzUBz0eRwq for <ietf@ietf.org>; Fri, 20 Sep 2013 15:10:33 +0200 (CEST)
Received: from [IPv6:2001:470:de0a:27:1003:d74f:d593:c954] (unknown [IPv6:2001:470:de0a:27:1003:d74f:d593:c954]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id 7A90339E085 for <ietf@ietf.org>; Fri, 20 Sep 2013 15:10:33 +0200 (CEST)
Message-ID: <523C49A0.8020405@alvestrand.no>
Date: Fri, 20 Sep 2013 15:12:00 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: Transparency in Specifications and PRISM-class attacks
References: <CAMm+LwiYy1xVGFvcKNbmLEEWcnHns70CS6aH9zV4B0Xqg-OWOw@mail.gmail.com> <523C216A.8030305@alvestrand.no> <523C339F.9080205@gmx.net>
In-Reply-To: <523C339F.9080205@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 13:10:41 -0000

On 09/20/2013 01:38 PM, Hannes Tschofenig wrote:
> On 20.09.2013 13:20, Harald Alvestrand wrote:
>> To my mind, the first thing to focus on is making our specs readable, so
>> that it's possible to understand that they have not been compromised.
>
> Three questions for you Harald:
>
> 1) When you say that our documents have to be "readable" then you have 
> to say readable by whom? Of course, most of our documents are tailored 
> to those who implement rather than to, let's say, someone who has 
> little understanding of Internet technology in general.

By those who implement them, and those who try to understand how it 
works to the degree that they feel assured that there are no 
non-understood security risks (intentional or otherwise).

>
> 2) Are there documents you find non-readable?

 From the stack I'm currently working on, I find the ICE spec to be 
convoluted, but the SDP spec is worse, becaue it's spread across so many 
documents, and there are pieces where people seem to have agreed to ship 
documents rather than agree on what they meant.
I have not found security implications of these issues.

>
> 3) Do you have any reasons to believe that there are documents that 
> have been compromised?
>
I have no evidence that they have intentionally been compromised. I 
think we manage to make specs unreadable without deliberate obfuscation 
- but the reader can't know that.