IETF Logo Mail Archive

Re: [Model-t] w3c also thinking about threat models

Watson Ladd <watsonbladd@gmail.com> Mon, 23 September 2019 22:42 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B80D3120088 for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 15:42:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y13w8tC1aAVb for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 15:42:42 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94FA2120044 for <model-t@iab.org>; Mon, 23 Sep 2019 15:42:41 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id r134so11394848lff.12 for <model-t@iab.org>; Mon, 23 Sep 2019 15:42:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o+ixFokFeNdTyCSnR2HAImVzdAzRHCylci37POaYJLE=; b=SoSBB5BxZtTTcIVMRvnlFAdwAtppsZKLJw2KI1NEcDTJZxXoheSwYSFvYe5tczvfIe wypsdCSauTp22NlB2ExXDN/Rv/MSH5T44pwNJa47f4XdK6sR/baQltJvkD5TK+XhVbeR sOtKZxHFtdJUvOTw5dyGT9ZTmfIAqsTulm33dcedH0VJs3bCVi2yJupUXHPrLKJ8i8yn h6KU06smTJ8JuCEBHsknGd0rVwDnxauwVlCccXLVtCRXxRaWY4lxxqqF2LDqz9Uormar fGkOxsS1zYwXotriJ/nq7m+DYlUsxOTIeeo690gfD3gWs3XsDYF9QqOSbUaez++2fa4J kQSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o+ixFokFeNdTyCSnR2HAImVzdAzRHCylci37POaYJLE=; b=rqe/3LlQHfZu/TnWzdmRl19zuNZp2sK2X9tIAIbBs4X92NVpn2urQAaWjeG7zQs31A KQMdFkE1Jx2IQBuB5VmPfRKJp470f8NRx6KO9IN2lqeCzVu8W3TgdBCzaTF99a3Axdud jznqV91XEZSlAlA9SWY8rGFgLDbWZocQlnXMbkkMs13VhLm36h4CVGGnkdQxrQL02QSk iCilwq3SgBbHvyAKCsfiwUmkRxBg0J4Qc9E1rqKu6Wvequj0RKudsPbPNnehGCMgvrEv UdA7QU5v3YsqAR1+ftREf4WMfyYw6J0bXyc1izP9VAtoghO3EKCbUbHY6khcOO3UdiuM Bibg==
X-Gm-Message-State: APjAAAWH1S0iHajSUHsn8QidpNDyLH56r2Rd+WnURStc+p9laZzWtMhC 6/3S4Ft5RzvDcZE9vaVU9dvUbOOMjQMWQ9QN2TU=
X-Google-Smtp-Source: APXvYqwplbegD6IHjwKOZZitbD+gJFHioCZRS5nsHqMWPYsrWelVONL03Dybmz10yZTX5iRrtac/WHSz+MzKaJxP+yA=
X-Received: by 2002:ac2:414b:: with SMTP id c11mr1058893lfi.159.1569278559678; Mon, 23 Sep 2019 15:42:39 -0700 (PDT)
MIME-Version: 1.0
References: <a327c668-6a17-bb9f-318e-e3cea6c6c1d0@cs.tcd.ie> <624F4CA6-8D84-4BD8-A74C-E5AE22709F72@lastpresslabel.com> <A30308F8-D2A5-45CF-88D9-D65240972D51@gmail.com> <27c70832-a631-4622-6119-3a47928c634e@cs.tcd.ie> <49EC2254-981B-4B79-9116-AC24385C2287@gmail.com> <e22b6512-ec19-24dd-56fa-38ac87d1a321@cs.tcd.ie> <D68AA072-F5A6-4535-8CB3-AE9ADD07476D@huitema.net> <65703c0a-9148-077f-53d8-4781419b6b50@joelhalpern.com> <CACsn0ckS-m5p3cc7T9TT0ejkbEphUWgjjsqOcaW7Bx4vOU6=PA@mail.gmail.com> <941e9585-2828-4e9f-1279-08e487f6b499@huitema.net> <F9FBC731-A2FE-404F-873F-0CE1239A26E3@gmail.com>
In-Reply-To: <F9FBC731-A2FE-404F-873F-0CE1239A26E3@gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 23 Sep 2019 15:42:27 -0700
Message-ID: <CACsn0c=WqUzgv=ZrHMQc9SgL0ABOd8DhpV5gzRafikpe-16v=Q@mail.gmail.com>
To: Bret Jordan <jordan.ietf@gmail.com>
Cc: model-t@iab.org
Content-Type: multipart/alternative; boundary="0000000000001a76170593402318"
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/1A-r0finjwpVHGM2dP-Sl0NoVu8>
Subject: Re: [Model-t] w3c also thinking about threat models
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 22:42:45 -0000

On Mon, Sep 23, 2019, 1:47 PM Bret Jordan <jordan.ietf@gmail.com> wrote:

> The security model needs to be more than just “can passive third parties
> see the traffic”. We need to make sure we understand and call out the
> operational security aspects of things we create here.
>

Is there a model for operational security? I thought the idea would be to
look at properties protocols and systems need to have to ensure security
properties we want to have in the face of threats, and where what we have
falls short.

It feels like we're going around in circles with people in the enterprise
thinking that you can bolt on a box to tell the bad from the good, and
others thinking you need to think carefully about what other kinds of boxes
can be bolted on, and pointing out the availability of MDM etc.

And if we're going to rethink threat models it should be more forward
looking then one particular methodology for cleaning up the limitations of
today's security models.


> Thanks,
> Bret
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can not be unscrambled is an egg."
>
> On Sep 23, 2019, at 1:52 PM, Christian Huitema <huitema@huitema.net>
> wrote:
>
>
> On 9/23/2019 9:26 AM, Watson Ladd wrote:
>
>
>
> On Mon, Sep 23, 2019, 11:07 AM Joel M. Halpern <jmh@joelhalpern.com>
> wrote:
>
>> It seems pretty clear to me that if we take the view that everything is
>> in scope, we will not produce any useful improvements in our current
>> security considerations in any reasonably measurable time.
>>
>> It seems to follow that if we want useful results, we had best find
>> somewhere to draw a line and agree that we will deal with some
>> well-defined scope.
>>
>> Of course, if all people want is a place to complain about the
>> interaction of architecture, protocol, implementation, and underlying
>> hardware flaws, I guess we can just complain forever.
>>
>
> Amen! But I think we can look at actual gaps in the network security model
> vs the host security model vs what programmers and users expect etc. XSS
> can be seen as a consequence of lacking quotation mechanisms in server
> interpolated strings.
>
> We also shouldn't privilege one use case over others.
>
>
> To answer Joel, I think there is a middle ground between "everything is in
> scope" and "we don't worry about the implementation of the endpoints".
> Clearly, we cannot address the multiple ways in which endpoint security
> fails. On the other hand, we can accept the possibility that endpoint
> security will sometimes fail, and incorporate that in the threat model.
> Endpoint security failures often only affects the endpoint itself, such as
> "get a virus, lose your files". I am not proposing that the IETF discusses
> that. But many times, endpoint security failures affect a number of other
> systems.
>
> For example, we recently saw attacks in which the hackers gain possession
> of one of the replicated DNS servers for a TLD, which allowed them to put
> up a fake web server for a domain inside that TLD and attempt to capture
> login credentials for users of that domain. The attacks was not perfectly
> executed, but it seems that they could also have obtained valid TLS
> certificates for that TLD using automated services. Single point of
> failure, fairly bad results. If that is not in scope for the revised threat
> model, what is?
>
> -- Christian Huitema
> --
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t
>
>
> --
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t
>

v2.23.0 | Report a Bug | By Email