Re: [Model-t] What are we trying to protect

[Bret Jordan <jordan.ietf@gmail.com>]

I agree with you Ted, this is something we need.  We just need to work through the details to help make sure everyone understands this problem.  We also need to figure out a way to document this material in a way that everyone can understand, but does not cut the information off at the knees.  Too often I feel like we have historically narrowed this information down to statisfy our own confirmation bias. 

I fully get that many here do not understand the attack lifecycle at the same level or understand what an intrusion set is and how that relates to threat actor techniques, tactics, and procedures (or their modus operandi). I also know that most here probably do not track threat actor activity.  But some of us do.  We need to bring some of this knowledge and expertise in to the IETF to help insure that we design things that improve overall security for end users on the internet.

Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Aug 5, 2019, at 7:50 AM, Ted Lemon <mellon@fugue.com> wrote:
> 
> I think this is a great approach, Christian.   If we follow your model we should be able to start from what we know and avoid boiling the ocean, without inappropriately skipping some modeling that we actually need to do because it borders on our space, even though it is not itself our space.
> 
> There are a few other things I think we should do.
> 
> First, you may have noticed that I don’t actually show a clear understanding of what the goals of this effort are in my comments.   This is because I’m a security area consumer more than a security area producer, so I wasn’t in the saag meeting.  I saw Stephen’s mail go by about “security models” and thought to myself “excellent, we need that.”   That’s literally all I know about what the plan is for this discussion.   It would be good to actually write down what our goals are.
> 
> Second, I don’t think we all agree on how we want to describe threat models.   If there is to be an abbreviated form for describing threats (as opposed to natural English) we need to document what that form is in sufficient detail that IETF participants who are not SMEs can understand it, and hopefully even contribute.   I’m not saying we have to write an RFC, but at a minimum there should be a wiki that has the needed information.
> 
> I also don’t think we even agree on what we mean by threat models.   Of course we mean models of threats, but at what level of detail?   How close to the code are these models?  How general, or how specific?   This may all be obvious to people on this list who are SMEs, but I’m not, so for me it would help to describe what we mean by “threat model,” not because anybody here is unclear on the basic concept, but because I suspect we don’t agree on the particulars.
> 
> As an example, the models that Bret has described don’t seem as if they would be helpful to me.  This doesn’t mean that they aren’t right—it either means that I don’t understand them clearly, or that we simply have different requirements.   It may be that what I want is not what should be produced here—I’m not claiming otherwise.   But it would be good to get some clarity on that.
>