IETF Logo Mail Archive

Re: [Model-t] Review of draft-thomson-tmi

Vittorio Bertola <vittorio.bertola@open-xchange.com> Wed, 08 December 2021 07:14 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B86A3A0B09 for <model-t@ietfa.amsl.com>; Tue, 7 Dec 2021 23:14:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2HtBpXbyqWU for <model-t@ietfa.amsl.com>; Tue, 7 Dec 2021 23:14:13 -0800 (PST)
Received: from mx3.open-xchange.com (mx3.open-xchange.com [87.191.57.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E69D3A0B1F for <model-t@iab.org>; Tue, 7 Dec 2021 23:14:12 -0800 (PST)
Received: from imap.open-xchange.com (imap.open-xchange.com [10.20.28.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id ED28D6A0DC; Wed, 8 Dec 2021 08:14:04 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1638947645; bh=4A+6CqJBERjHHObuVoi4ICG32IMt5F9pcbfbBRKzKq4=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=fBRYlWM/mIBKz0hAxg+AUCMwy45kyfOHobYBVBbk0Z/IiRQNCKNmuKtrNBS6u6JeR MHasTJzV0xSkMoyWwb2ndclMnqHbjynRmd+6tbpoFD67YWSDU55mXAf7QuC+LJGVuJ KaZOPlymV0YlhoovMUy70EVwAI7MmMNyMEvMcZtA4zj3TpcbmrV2M3EKsupYr1kJ83 lfUQ9roFiqzfbJ0IkNVvJXyAoGIOcGaQdTGzmxUaCEkqxxHJ8Jac+roPw8sng1cYGh 2FDNEgNw021Ital2bJiAi1/st9ZftQTZd/vnQjuoS4U3esCOyJZ2K9t/i28bROQqNV Vs3u2thIs9Usw==
Received: from appsuite-gw1.open-xchange.com ([10.20.28.81]) by imap.open-xchange.com with ESMTPSA id VMnTOTxbsGGPOgAA3c6Kzw (envelope-from <vittorio.bertola@open-xchange.com>); Wed, 08 Dec 2021 08:14:04 +0100
Date: Wed, 08 Dec 2021 08:14:04 +0100
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Jari Arkko <jari.arkko@piuha.net>, Martin Thomson <martin.thomson@gmail.com>
Cc: model-t@iab.org
Message-ID: <1793552336.53819.1638947644889@appsuite-gw1.open-xchange.com>
In-Reply-To: <F2034CB3-D829-4C50-BC84-A89DE360FF7E@piuha.net>
References: <F2034CB3-D829-4C50-BC84-A89DE360FF7E@piuha.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_53817_697822058.1638947644876"
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.5-Rev31
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/MlXkHkmlltcNFcBj12paF0B2kDw>
Subject: Re: [Model-t] Review of draft-thomson-tmi
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2021 07:14:18 -0000

> Il 07/12/2021 00:34 Jari Arkko <jari.arkko@piuha.net> ha scritto:
> 
> 
> Hi,
> 
> I wanted to review this draft in preparation for tomorrow’s call. (Hopefully we will also have others doing the same on this and other drafts!)
> 
In the call we did not really get to the point of discussing this document, but I have two general comments on it that I would like to provide, and that also provide my perspective on the work we need to do.

The first comment is that to me the document reads as two separate parts, where the latter does not logically descend from the former. The first part (2-8) discusses what intermediation is, when it is good and when it is bad. It recognizes in several points, even with examples, that intermediation can be a positive thing and can be used for positive purposes. Then, abruptly, recommendations start and they are all about avoiding intermediation at all costs. The recommendations do make sense in many cases - e.g. designing things rather as services that can be authenticated and interrogated separately - but first of all a protocol designer should analyse how intermediation could happen, whether it is more likely to be good or bad, and whether it makes sense to put effort into making it harder or easier; then, if the answer is "harder", recommendations may follow.

The second and more general comment, which does not just apply to this document but more or less to the entire threat modeling work of the IETF until now, is that there is a permanent confusion of planes when discussing threats. Let's take the very definition at the start of section 2:

"A protocol intermediary is an element that participates in communications. An intermediary is not the primary initiator or recipient of communications, but instead acts to facilitate communications."

Now, if you consider the "communication" on the technical, network plane, we are indeed talking about "protocol intermediaries" that interject themselves in a communication that starts from the network interface of the originating user's device, and ends at the network interface of the destination user's device (or of the server providing the service). Then you can discuss the privacy and security of this specific communication under the current RFC 3552 assumptions, i.e. that what is outside of it is not adversarial and has not been compromised.

But if you want to make an analysis or claims about the privacy or the security of the communication from the end user(')s(') point of view, then things look rather different. An "intermediary" (without the "protocol" qualification) is basically everything that sits between the originating user's fingers and screen and the destination user's fingers and screen. The software on the user's device that acquires the user's keystrokes, formats them as protocol messages and sends them on is a "protocol endpoint" but also an "intermediary"; clearly it "is not the primary initiator or recipient of communications, but instead acts to facilitate communications".

Indeed, today in many applications the biggest and most common threats to the end user's privacy (think of surveillance advertising) come from what's happening within the "protocol endpoint", and that is what makes many of us feel that the model in 3552 is outdated. Making any considerations on the overall privacy and security of a protocol without looking at possible misbehaviour by intermediaries sitting at the protocol endpoint is a logical fallacy.

This is also why I would prefer to make recommendations on intermediaries only after having fully clarified the definitions above. There are cases in which intermediation is the only resort for a user to protect their privacy and security from misbehaving endpoints (e.g. a firewall or filter blocking IoT objects on the local network from connecting to undesired destinations, or preventing the unsuspecting user's browser to connect to a phishing page). We should first understand how the relationship between protocol intermediaries and endpoint intermediaries plays out in terms of user-centred objectives, and only then make recommendations.

--

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com mailto:vittorio.bertola@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy

v2.23.0 | Report a Bug | By Email