Re: [Model-t] What are we trying to protect

[Eric Rescorla <ekr@rtfm.com>]

On Sun, Aug 4, 2019 at 12:14 AM Dominique Lazanski <dml@lastpresslabel.com>
wrote:

>
>
> On 4 Aug 2019, at 06:08, Eric Rescorla <ekr@rtfm.com> wrote:
>
> his seems like a reasonable problem statement for the overall problem of
> computer security, but not really for IETF.
>
>
> But computer security is Internet security. It is rare that ‘things’ are
> not connected to the Internet  (with the exception of intranets however the
> same type of devices are connected to both).
>
> If some attacks are initiated at the pint of ‘things’ in order to
> compromise the Internet I don’t see why this shouldn’t be in scope?
>

Well, I didn't say anything about "things" one way or the other.

However, my point is that while compromise of endpoints necessarily
negatively affects the Internet, actually protecting those endpoints
against compromise is outside the scope of the IETF. That's not to say it's
not important, it's just not IETF work. To provide two examples perhaps
closer to home:

- Even though compromise of the Web is bad for the Internet, the IETF has
largely punted the security of the Web itself to W3C and WHATWG.
- Compromise of the WebPKI would obviously be very bad for many protocols
the IETF has designed, but the management of the WebPKI is done by CABF,
not IETF.

-Ekr



> FWIW I think Christian and Bret’s emails outline issues that should be
> included in scope.
>
> To take a concrete example memory reading attacks like Spectre are a
> threat to user data and something that browser vendors spend a fair amount
> of energy working on, but they're mostly not in scope for IETF [0]. There's
> nothing wrong with that, it's just division of labor.
>
> -Ekr
>
> [0] I say "mostly" because (a) we need to take the security implications
> of these kinds of attacks in our protocol designs and (b) there might be
> some small pieces of IETF work like CORB, though that seems to be mostly
> being done elsewhere.
>
> On Sat, Aug 3, 2019 at 2:47 PM Bret Jordan <jordan.ietf@gmail.com> wrote:
>
>> Protection of end users’ data
>>
>> Protection of an organization’s data
>>
>> Protection of devices owned by an end user or an organization
>>
>> Protection of network equipment
>>
>> Protection of SCADA system
>>
>> Protection of critical infrastructure
>>
>> Protection of IoT and soon to be released 5G devices
>>
>> Protection of cost optimized controllers
>>
>>
>> The problem we have had in the past is we want to call this one of the
>> following, but each one does not encompass the full picture.
>> 1) Computer security
>> 2) Data security
>> 3) Information security
>> 4) Communication security
>> 5) Network security
>> 6) Application security
>> Etc, etc,
>>
>> So if you way we are just dealing with communication security or
>> information security we are missing a significant piece of the pie.
>>
>>
>> Thanks,
>> Bret
>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>> can not be unscrambled is an egg."
>>
>>
>> Reading this thread, I think that we are missing a step. We cannot
>> define attacks without defining first the assets that need to be
>> protected.. Different actors probably have different views on that, such
>> as:
>>
>> 1) Continuous operation of the Internet
>>
>> 2) Continuous operation of a specific Internet provider
>>
>> 3) Continuous availability of an Internet Service
>>
>> 4) Continuous connectivity for a given user
>>
>> 5) Protection of databases used by services and enterprises
>>
>> 6) Protection of the personal data of users
>>
>> Do we have agreement on what we are trying to protect?
>>
>> -- Christian Huitema
>>
>>
>> --
>> Model-t mailing list
>> Model-t@iab.org
>> https://www.iab.org/mailman/listinfo/model-t
>>
>>
>> --
>> Model-t mailing list
>> Model-t@iab.org
>> https://www.iab.org/mailman/listinfo/model-t
>>
> --
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t
>
>