Re: [Model-t] model-t@iab.org list description
Jim Fenton <fenton@bluepopcorn.net> Sat, 03 August 2019 16:52 UTC
Return-Path: <fenton@bluepopcorn.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E44D120106 for <model-t@ietfa.amsl.com>; Sat, 3 Aug 2019 09:52:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7rLhHUypIDD for <model-t@ietfa.amsl.com>; Sat, 3 Aug 2019 09:52:51 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7E7F120020 for <model-t@iab.org>; Sat, 3 Aug 2019 09:52:51 -0700 (PDT)
Received: from steel.local ([IPv6:2601:647:4300:2290:124:b44:547:d3db]) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id x73Gqmkf021992 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 3 Aug 2019 09:52:49 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1564851169; bh=lfB8CDqLfT/aRqVVkv2f5YXe5J/q9hDv3ssp9jI69OU=; h=Subject:To:References:From:Date:In-Reply-To; b=KnSMV2MbAw85R/d2z9SfYJzEzT47zlZl5SMAfat6B0ylYCK8aIVybQw07KZf8Eo2x zQd6cjy2OK65ztXxTq2W+Os62DNM2jJp0uSp2gs5OiuKi8ZV1HkUlFFVsydf6lVjyh a86EOtVHInuVUkdi1G6vJJQpzHZ1sE3+GNikGkY8=
To: Bret Jordan <jordan.ietf@gmail.com>, model-t@iab.org
References: <c3a112ba-baab-1cb0-97ad-21ff9999a637@cs.tcd.ie> <29756028-95f1-e6e5-b3ea-562cbc635df0@sandelman.ca> <5ef15ad2-5b20-e871-0d01-17cf906051c1@cs.tcd.ie> <22633.1564768705@localhost> <e7c02d44-353f-406c-818e-06a2e49ee212@www.fastmail.com> <5879878A-7CEA-4030-BB72-108CC4122719@gmail.com>
From: Jim Fenton <fenton@bluepopcorn.net>
Openpgp: preference=signencrypt
Autocrypt: addr=fenton@bluepopcorn.net; prefer-encrypt=mutual; keydata= mQINBFJNz0MBEADME6UoNSsTvSDJOdzL4yWfH4HTTOOZZPUcM/at38j4joeBb2PdatlwCBtk 9ZjupxFK+Qh5NZC19Oa6CHo0vlqw7V1hx1MUhmSPbzKRcNFhJu0KcQdniI8qmsqoG50IELXN BPI5OEZ3chYHpoXXi2+VCkjXJyeoqRNwNdv6QPGg6O1FMbB+AcIZj3x5U18LnJnXv1i+1vBq CxbMP43VmryPf8BLufcEciXpMEHydHbrEBZb/r7SBkUhdQXjxRNcWOLeYvOVUOOrr1c+jvqm DEbTWUJVRnUro/WpZQBffFnymR0jjkdAa8eOVl/nF2oMLbaBsOMvxCRSSEcGhuqwbEappNVT 1nuBTbkJT/GGcXxc+lEx9uNj86oYC4384VZJMTd1BRI4qPXImNZCIdmpKegK743B6xxN6Qh1 Tg167pn9429JENQE/AFIVX5B/gpsg7Aq+3rmz9H6GbfovPvFV3TBTgsHCHAMC8XU+S4fhcqN PN0lbUeyb7g6wxaE+dYqC7TExx7G3prw4v66y0qS7ow/Cfw8XXOEkaFQ4XwP7nvfILT+9CcU yS8I40vlDFU9Wnt56CbGz0ZVQgHnwyPXL+S9kCcIwRLFx1M79s6T6qwX1TXadfpbi1uIw7XG TiPDT8Pk6i2y22oSSROyYD4D+wOhVkkvO0S8iZ3+LhAYUx86nwARAQABtCNKaW0gRmVudG9u IDxmZW50b25AYmx1ZXBvcGNvcm4ubmV0PokCVQQTAQIAPwIbAwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQS1nUkJe2fEXbvBaacbJaiwFdCfvgUCW4RXswUJCxkNcAAKCRAbJaiwFdCf vjdyD/wNUBktyTqGVI5JGE8TJX6+6bmq5HHJ/I+CgGNtyvjriNZdxZJ86L5Z7MIidBeUOXvl /DZK+1zvS/hq8oMe7rPMbSepHHdhMyVTBuWnUG3n48dYOMqQjttBxisauC9GXrejhDJeGP+y WDLRdkMs1h5M48MKpEHf69pvkb+CCewbJeJH3kpPc5Iv9lJEOM/SrGlR72RUsMHeBcc3ykPR CeW0MpXGKAo5QCRw51uvuy7jZdlxOrLMMvMSyqCVanaW2Iz8mXQKufahkDfjff/eBUgXSfxS L1H2ZUN8XeyLttn6iei0Jqs1aSTmU1y0XxMM5k0rgA+3PoZrkgYTSvVBQMhE+sIyeoiB9oat 5h7M7nZBXc4LQTEwMFCamE4GIaSkpLFwBBwZwPa487XKnPbGV6zr7sYEzDaCvkQGJdfw6NqA 5IxLgmAoCAWnp3h26OtUJ0lmgpRy/Vy4yinbVAvkBq1CB1gRlNDYn0Ton06Bz0ltSpBTWTzj m6zvnA2JLzyFrTc30PR22WD/m18/qgua7YCiP1xu88AsnY5HPgxDj88PDiiyuFftYHhSY0Dy nV+iz+NEPal/LaklqVmA1+l8qj/SPAdycbD/s2X6MHjPBamdBmzytuEZnv+LImPTkdswExLD AORVDaH2SYuznhFs7xZ/t1rB5Yo1l5eDGdTQ6KLsDLkCDQRSTc9DARAAwZaXYs3OzGlpqvSH 3HR9GjSzIeP0EmsBCjpfIdZbQBwQ3ZREiMGInNxV+xkdjLDg0ctrWzUCUe3plWe5NJkpjqm+ KMc7GKhyeWJ5MZRtVrh0VpFTqi8UwYPWumAYqE1y/U1me/zHpfG9EDwdSYqMkPF76Fy5W+vh ZP2ILKaY8qWSLyH8TPl5mFGBypfT8Q6UuzlRs2aTbsTtBX/qwH7gztMRJSjQtYo20AqCgBBH IA/0xV5qDH7CVYyKyPQ4tJLQ8/xyTysUS5fewrj8lZo/G9SaNtC3CEvrJYwyA0nvYB6+hJPM qMP/tyRXM/9XY3qO4Vxuc+m5fYbTZa5GYAZNNuB5dvqI1U0sFTWBEbpAeabqCQ40ZnFSj+t1 tBuwfj4ey/oJ78WRyg5+VTvPKRRubOmZcnzj5yfTS3VGxAZb4Nsj1S2f3KLP0Z+Cv4dt893I 2JWTChw7jA1omF0QTQaBq140n084PFndBHudrZ3cz+APC89iie2HQ4jGQldXZXnGySHnHlA+ WUyZ9wgOplW9F4Q/Lps1bnuh5VttPVpNfjX8hiV48al+b+ut4nfzXAripIRWF3TL72/6JqgE KNhRKyRn0S6BidieSyHWzqJR3Roi/YNTvyXyLh6i6jtByb3FbnhYf/9olobDpj0E+kTemLrw owre85gwupSphqlzVSUAEQEAAYkCPAQYAQIAJgIbDBYhBLWdSQl7Z8Rdu8FppxslqLAV0J++ BQJbhFZUBQkLF7qRAAoJEBslqLAV0J++wvgP/jPjfjH3zEGYhdv89B0vFsRIBDDZzJuMxZZL EW/FyqKqswTHt6HD2ScuiGNEsNWebKEZbj2+Y673KqWnBGMFuJovAzlLeNNxQToJq03pzm/9 4A0ePYk9xzrMgtW+DEUemWElvMbSwZYid8Zj4lAx+U/X6Dh7HPSTx8DO4BKRA4cLrASOaUuS /w8/2eTXNEJssqc8Shwq6bNO5cPXrjb/qJgbb/MOLp0Nn1vNIPjoi/88910pyOV9chYJJFRX zOofGwaRjvcO55X57lveBrNEgH453EHa7QAHL4wD2dbCd445YOPkn0mBNJe3Un5JTsi6IQaK NHUMfwTWrVWN8RapFaPv6YXVBEvpA13G88TFkR5UHlz6YEUMATmgJQpmTFRkPYT0DTEbL4/O ywFgqMzmY1ojKV/Z6iWCAHqVnyFr6NtTFmT/qkOtb933YWJZW6Pg/Us2rZHro7uvQ/bf7Uxb vkn4lX+VneDBjsk3RPnHO/6k8lY2xQ343O7QOedSkM6rJpB9IbgXvHJNJfAWV+L89ElZeKJr VNaQqAw/1uXM7s8MVc+qwoT+DN0jsdqkBcuBxnbYeyM/8X6wcZHopV74r7SAbH4TrtjcBft5 nyM0UroVaEXvJxLzL3kQTsHIiDtGVuYwDTHzVl9591fuyEe0cYZVP2WckXcuM7EUn4CPBUYJ
Message-ID: <d253231a-d35d-e7c9-e3ae-5c7d7915566e@bluepopcorn.net>
Date: Sat, 03 Aug 2019 09:52:43 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <5879878A-7CEA-4030-BB72-108CC4122719@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/M4YXAXjyGjD5HPktAV2dGpCd7OQ>
Subject: Re: [Model-t] model-t@iab.org list description
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Aug 2019 16:52:53 -0000
On 8/2/19 9:24 PM, Bret Jordan wrote: > To borrow your words… “If we are going to take security seriously”… > we need to understand and document the full attack surface. So let > us start listing them out. Here are four. > > > Attack: Active remote attack > Exposure: Full compromise of system and data > Client Knowledge: Potential indicators may be visible > Protection Possibilities: Deploy both client and network level protections > Headwinds: Client based protections are usually inadequate > Severity: High > Kill-Chain Phase: Lateral Movement [etc.] Perhaps we need to decide what we consider a threat model to be. I see Bret's list as a collection of specific attacks (tactics), while I consider a threat model to be at a higher level than that, e.g., whether nation-states, or supply chain threats, should be part of that model. When I was working on the draft that became RFC 4686 (DKIM Threat Analysis), Russ Housley gave me some very good coaching about how to structure that. He suggested that it should describe: - The nature and location of the bad actors - What the bad actors' capabilities are - What they intend to accomplish via their attacks How do we want to define threat model? -Jim
- [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Michael Richardson
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Joseph Lorenzo Hall
- Re: [Model-t] model-t@iab.org list description Michael Richardson
- Re: [Model-t] model-t@iab.org list description Martin Thomson
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Eric Rescorla
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Jim Fenton
- Re: [Model-t] model-t@iab.org list description Ted Lemon
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Stephen Farrell
- Re: [Model-t] model-t@iab.org list description Christian Huitema
- Re: [Model-t] model-t@iab.org list description Watson Ladd
- Re: [Model-t] model-t@iab.org list description Carsten Bormann
- Re: [Model-t] model-t@iab.org list description Ted Lemon
- [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] model-t@iab.org list description Bret Jordan
- Re: [Model-t] model-t@iab.org list description Watson Ladd
- Re: [Model-t] What are we trying to protect Eric Rescorla
- Re: [Model-t] What are we trying to protect Dominique Lazanski
- Re: [Model-t] What are we trying to protect Eric Rescorla
- Re: [Model-t] What are we trying to protect Dominique Lazanski
- Re: [Model-t] What are we trying to protect Stephen Farrell
- Re: [Model-t] What are we trying to protect Eric Rescorla
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Watson Ladd
- Re: [Model-t] What are we trying to protect Ted Lemon
- Re: [Model-t] What are we trying to protect Dominique Lazanski
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Ted Lemon
- Re: [Model-t] What are we trying to protect Stephen Farrell
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Stephen Farrell
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Stephen Farrell
- Re: [Model-t] What are we trying to protect Christian Huitema
- Re: [Model-t] What are we trying to protect Ted Lemon
- [Model-t] Primer Bret Jordan
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Christian Huitema
- Re: [Model-t] Primer Bret Jordan
- Re: [Model-t] What are we trying to protect Bret Jordan
- Re: [Model-t] What are we trying to protect Watson Ladd
- Re: [Model-t] What are we trying to protect Thomas Hardjono
- Re: [Model-t] What are we trying to protect Ira McDonald
- Re: [Model-t] What are we trying to protect Thomas Hardjono
- Re: [Model-t] What are we trying to protect Watson Ladd
- Re: [Model-t] What are we trying to protect Thomas Hardjono