IETF Logo Mail Archive

Re: IETF Chair

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 14 October 2020 17:49 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66A773A0F97 for <ietf@ietfa.amsl.com>; Wed, 14 Oct 2020 10:49:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMJM_QyNxhuR for <ietf@ietfa.amsl.com>; Wed, 14 Oct 2020 10:49:53 -0700 (PDT)
Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6445C3A0F99 for <ietf@ietf.org>; Wed, 14 Oct 2020 10:49:53 -0700 (PDT)
Received: by mail-yb1-f179.google.com with SMTP id d15so617187ybl.10 for <ietf@ietf.org>; Wed, 14 Oct 2020 10:49:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P91Wv7F0fLKW/l6hwCkpQzAEIf7eACcuWHQxc9nin9U=; b=bMHBzt86NM9xxxdWpT7BuvYqDPy6tFePDMxAlMH/hMAFqETGJZodtA0Gd2uvnEO2UH Louf7xNjgt8PGCm+c0TXpOz5NWS/X2WNs6ZVYA+Vxvl7BE64wce/jHRGMWSgPyy9O9zy GHkK7IyNqKjMjhFaCHEJsc1XKy05PWd4RpsYY18ZEohO+aeFq+oZ9qrLfa3zYljoGtZn 7YCYDxbH4A+GlBxmJCxvpLjEBDqPFMrQbGyODEIsc34xm1YiLnPvM0zKcEk1vjAFbz11 +2JJTn8PHa93SX0FLASLytGXUMxRJ+6XxsFK2/UjK8stX6cvHe9EcvQScr9gt+8Q8EIg KNww==
X-Gm-Message-State: AOAM531QOBHs8mpU8dcrdOFqGAuGWIaHp7yBUYTuAQQkiKY3D94m8VdC kn80+dSBm9h0Xm75/IQUCqTBcoeJ32aC6rAnP1g=
X-Google-Smtp-Source: ABdhPJyOSz+xoMD8giubMIwewN+nTpFLnJEgXXXImlEoZ8TnluSx29nqKzsI3nSXrAZYWL+MAIhoOjIQLfv4rVkcGA8=
X-Received: by 2002:a25:8708:: with SMTP id a8mr798673ybl.302.1602697792356; Wed, 14 Oct 2020 10:49:52 -0700 (PDT)
MIME-Version: 1.0
References: <2B51679C-2BED-4F7B-B146-FF1524B00AA5@akamai.com> <C775E80B-9A31-492E-BA6A-96F9FE831316@akamai.com> <128277543.164613.1602611739735@email.ionos.com> <CAMm+LwjCGVUuFXK+fAzpV176hseXB9iLzC-7OZQZf=ca9+3x0A@mail.gmail.com> <20201014141954.GB18373@mit.edu>
In-Reply-To: <20201014141954.GB18373@mit.edu>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 14 Oct 2020 13:49:41 -0400
Message-ID: <CAMm+LwgqTHVQTj=6wz01WXGYARzuqM3=FkeB4R=bxu65WgHCzQ@mail.gmail.com>
Subject: Re: IETF Chair
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: Timothy Mcsweeney <tim@dropnumber.com>, "ietf@ietf.org" <ietf@ietf.org>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009884e205b1a528e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/fwLOwLkTJtKUv_xsq0rUGU9TM9A>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 17:49:55 -0000

On Wed, Oct 14, 2020 at 10:20 AM Theodore Y. Ts'o <tytso@mit.edu> wrote:

> On Tue, Oct 13, 2020 at 07:22:10PM -0400, Phillip Hallam-Baker wrote:
> > The biggest security problem we face today is breach of data at rest, a
> > confidentiality problem. But 90% of the efforts of the academy and 99% of
> > those of commerce are focused on the Blockchain, an integrity technology.
> > Meanwhile it has taken me most of the last five years working in various
> > forums to persuade people to look at threshold decryption, a technology
> > developed in the 1990s that is actually a confidentiality control capable
> > of securing data at rest.
>
> I'd agree, but at the same time, I'll note that securing data at rest
> is generally not an issue which is solved via internet protocols and
> interoperability guarantees, but rather is something that needs to be
> designed in hardware (e.g., trusted key stores, firmware verification)
> and in software (trusted boot, multiple layers of encryption in the
> software stack, bring your own key for those customers who demand it)
> and in operational practices (reduction of people with privileged
> access, two person controls, auditing, etc.).
>

That is how we have been trying to do it for 20 years. And the result was
the Snowden breach. If the NSA can't run that stack and make it work, it is
hardly surprising if nobody else can either.

All the things you describe are useful as part of a solution. But they
don't get to the heart of the matter which in my view is separation of
duties. You cannot expect security if you place absolute trust in any one
individual or service. There will always be an insider threat. Which is why
we need to divide the private keys. Once you start to look at applying
threshold on a large scale, it is clear that you need a threshold key
infrastructure to manage the issue and use of the key shares. And once you
start to look at managing the shares it becomes clear that you need to make
use of threshold techniques to do that.

An example of the sorts of things which are needed to secure data at
> rest can be found here[1], from my employer, but all cloud providers
> should have something similar (or they'd better, if they want to
> retain customer trust).
>
> [1] https://cloud.google.com/security/overview/whitepaper


Right now, Google has how many billion passwords stored in its cloud
services?

One day, one of the lawyers will look at that and realize that you have
collected what one of my Microsoft friends used to describe as a steaming
pile of liability.

There are many commercial offerings out there but few that have even
explained their security controls and none that I am aware of that have
been subject to full public review. And it is hardly surprising that
password vaults have been one of the chief targets of hackers.

The problem with the password vault providers is that their mission is to
provide a proprietary solution that makes using passwords easy. What the
Internet desperately needs is a solution that provides a transition path
out of using passwords altogether.

Every device that is configured to use my password vault has end to end
security - the service provider does not have any form of access (that is
not a unique claim, but I have yet to see anyone else provide proof of that
claim). But the mechanisms I use to provision decryption key shares to
devices allowing them to access the password vault also provisions public
keys for authentication. So those devices can also authenticate using FIDO
(or equivalent). No smartcards needed.

If you look at this, you'll find that most of it is out of scope for
> the IETF.
>

PKIX was IETF work and one of the few security area protocols that actually
succeeded. If PKI is in scope for IETF then TKI needs to be.

The audience I need to convince to make this work is not the audience here.
It is the board rooms. I used to sell seven figure PKIs to C-suite members.
In the 20 years I worked for other people, I made very sure that I kept on
top of every new technology that might affect our business so that when I
got a call from the CEO, I could tell them exactly what it was about.

Perhaps some folk here might want to start considering the power of
threshold encryption and what it means for cloud security now just in case
they get asked rather than reassuring themselves that the current approach
is working.

v2.23.0 | Report a Bug | By Email