IETF Logo Mail Archive

Re: [Model-t] draft-thomson-tmi

Martin Thomson <mt@lowentropy.net> Tue, 14 July 2020 00:25 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64E5A3A0808 for <model-t@ietfa.amsl.com>; Mon, 13 Jul 2020 17:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=muioDd/J; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=SsETystH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWnYJNEmgj60 for <model-t@ietfa.amsl.com>; Mon, 13 Jul 2020 17:25:36 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 592743A03FA for <model-t@iab.org>; Mon, 13 Jul 2020 17:25:36 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 6866D5C021D for <model-t@iab.org>; Mon, 13 Jul 2020 20:25:35 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Mon, 13 Jul 2020 20:25:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=8HHDNLv7jv+UdmFIp6CyYiEV0CEnEte SEuc9Hdy0Uo8=; b=muioDd/Jmerr7/3HsQGgAMWjMKYhS/QlKEwsFK0u4ImmCay XymnKHXpQ1Asnli6c4KGIytPtxXXgO3Dv5TpW4rT+fr1m3DPaZiti+T9tH6nkhDb Y7wGgQDAOvkeEJtA5La+3kyJqLlAprSUZr1Xbwdi7AvN1WaiP4v9OH08V74mG0v4 +9P9F/urGvW6UGKvvFOydMV+YQ5M9C6u1YMEfKtG79+TsOn32miL0Y8HSnISPJnx i5d7PZt+jB+H0ZDN6RhopAdE0hZxEqOaTRZVVoiidykOCuaE8GjrJJEnmClRBZG4 SEW8P+3N/Yn+BeKwY0rB0SMfirEP5WLpZlvr4oQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=8HHDNL v7jv+UdmFIp6CyYiEV0CEnEteSEuc9Hdy0Uo8=; b=SsETystHSHw4TBKZeMIR13 srGZy5UHjBnU/+31bynW3E3z2wu70RNO2Rh2u5ymyezouqbHsw+YpT/j5cKuKaqN 6GkXe1+baZEgGwrqBH1tXd4BG81gu9cXTYzNwUg7nN3RSGPIbo5wfM2OPsNSpHgY GfhZY7S6ki9p86o5YMnV7JhylOs9VrMCYCy2QJg/ddXrElA8hKH3Zgyba9AMsEVN oI5kRHTi447v2dP1gXNAngZBei96/wZKX8hTiBkAfC9ISs8Fhk/Gxf1FOCKr8OiS w/GuZK/1lxsGMFpje4ThzhTRj5Q6nqD1Pn4gQL0l88wRwwyZs2r2bdFU+ZELKNCA ==
X-ME-Sender: <xms:fvsMX8m_pw5TAaGgTLStGQnsk_DFi2xuTJkHLS9-VoaTAg4XEC0dZg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrvdelgdefvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepffeljeeltdfhleegtedtve euteekteekgefhfeetgfefgfetvdfhieeutdegjeefnecuffhomhgrihhnpegvthhsihdr ohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:fvsMX71a_VZ71YJxQolgTG00Tn2lDUHK7enuKxD5JAElJeJk7Evbag> <xmx:fvsMX6rIAS0ewfyzx_VgYKNE2IPQM1N4fD73rRsGrvtjhf20p4bpjA> <xmx:fvsMX4mYpnEjuvXQub4PDtR1ABT20iO2LJcAAongw4HHE9e3mn-yxg> <xmx:f_sMX92iY1DvGanem1NhOr6eSJBvCgaugWpHPDgV0laWPJVFj4pIgg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id BF1C2E00B3; Mon, 13 Jul 2020 20:25:34 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-613-g8a73ad6-fm-20200709.001-g8a73ad6e
Mime-Version: 1.0
Message-Id: <004e5fc9-e284-4c84-8a3c-7872ceb1d20b@www.fastmail.com>
In-Reply-To: <1164022876.4302.1594630518489@appsuite-gw2.open-xchange.com>
References: <422978b2-028d-48e1-85ed-ddaa36e36052@www.fastmail.com> <1164022876.4302.1594630518489@appsuite-gw2.open-xchange.com>
Date: Tue, 14 Jul 2020 10:25:15 +1000
From: Martin Thomson <mt@lowentropy.net>
To: model-t@iab.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/NCUYbroDLO8Sho6ctwBSvaJdHEI>
Subject: Re: [Model-t] draft-thomson-tmi
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 00:25:38 -0000

On Mon, Jul 13, 2020, at 18:55, Vittorio Bertola wrote:
> I think that this really depends on who you are and how you see the 
> world. There are people who are more afraid of the endpoints, given how 
> hard it has become to be able to know and choose who you (the 
> applications and devices you use) communicate with - so these people 
> would like to become intermediaries, or install intermediaries, to 
> regain control of their communications. 

I did not claim that this was addressing all of the problem.  I agree that not being able to trust endpoints that you bought and are responsible for maintaining is a real problem.  I disagree with the idea that more intermediation is any sort of solution.


On Tue, Jul 14, 2020, at 05:30, Russ Housley wrote:
> #2 has pros and cons.  When one connects to a new public wi-fi, some 
> proxies are often offered to reduce latency.  the choice may be to 
> accept these proxies in order to use the service at all.  So, "control" 
> is an interesting choice of words.  However, it would be really useful 
> to always identify the proxies that are involved. 

The scenario you posit is a common one.  Many employers offer a similar choice: allow me to intermediate your web traffic or find another job.  It's not much of a choice, but not strictly a protocol design choice.  The protocol design decision here is whether to design a protocol to include this intermediation or whether to find another way to accomplish the desired goals.

#2 comes in if you decide to design a protocol that involves this proxy. For instance, you might consider using TLMSP [1] over TLS.  And yeah, "control" was a deliberate choice, but it has interesting implications.

[1] https://docbox.etsi.org/CYBER/CYBER/Open/Latest_Drafts/CYBER-0027-2v020-TLMSP-Transport-Layer-Middlebox-Security-Protocol.pdf

v2.23.0 | Report a Bug | By Email