IETF Logo Mail Archive

Re: [Model-t] draft-thomson-tmi

Christian Huitema <huitema@huitema.net> Wed, 22 July 2020 01:14 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA7023A07A2 for <model-t@ietfa.amsl.com>; Tue, 21 Jul 2020 18:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5M29-2sg-bJ for <model-t@ietfa.amsl.com>; Tue, 21 Jul 2020 18:14:03 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3BA83A078C for <model-t@iab.org>; Tue, 21 Jul 2020 18:14:02 -0700 (PDT)
Received: from xse423.mail2web.com ([66.113.197.169] helo=xse.mail2web.com) by mx128.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1jy3KY-000Wkz-ES for model-t@iab.org; Wed, 22 Jul 2020 03:13:59 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4BBHXz3srQz2DPv for <model-t@iab.org>; Tue, 21 Jul 2020 18:13:55 -0700 (PDT)
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1jy3KV-0001UL-Ck for model-t@iab.org; Tue, 21 Jul 2020 18:13:55 -0700
Received: (qmail 30849 invoked from network); 22 Jul 2020 01:13:55 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.134]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <model-t@iab.org>; 22 Jul 2020 01:13:55 -0000
To: Watson Ladd <watsonbladd@gmail.com>, Carsten Bormann <cabo@tzi.org>
Cc: Eric Rescorla <ekr@rtfm.com>, Mirja Kuehlewind <ietf@kuehlewind.net>, Martin Thomson <mt@lowentropy.net>, model-t@iab.org
References: <422978b2-028d-48e1-85ed-ddaa36e36052@www.fastmail.com> <1164022876.4302.1594630518489@appsuite-gw2.open-xchange.com> <004e5fc9-e284-4c84-8a3c-7872ceb1d20b@www.fastmail.com> <a5838569-2b93-e982-1c9f-df773456c494@huitema.net> <CABcZeBOjcSJAt4G3q87ew3UNrLS2YkSN-+=TTUm6RVW22jfaLg@mail.gmail.com> <8d7b79d6-22f6-2212-d3c1-9b6580cea009@huitema.net> <825777D0-B098-466F-A832-BC7CAB01A9F9@kuehlewind.net> <012A2EDB-4F72-4FE3-8B43-08ACB858BF95@tzi.org> <CACsn0cnWy-mphcGBL3dhyshoFCTkbzp9=FERz27Xa3iozgK1qA@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <a1b1781d-e410-698a-51da-045d4451bb31@huitema.net>
Date: Tue, 21 Jul 2020 18:13:53 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CACsn0cnWy-mphcGBL3dhyshoFCTkbzp9=FERz27Xa3iozgK1qA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DCF8066DB6EE789957DCBECA"
Content-Language: en-US
X-Originating-IP: 66.113.197.169
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0bN4ZX/cCaR95pQ7tQtUF1ypSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDXz6Yli32IJdAuJ3ivsC2SsRX qYbtEQV1z/L435ZRxFRVSs3ZvwCZTqSIL6ppxqyB+rYZvu7UEJiU3s27VgKHO7lwS3dBJTnTxDoD vBGGxph9w6EwXICYy0ePXtGEMhqr40RKF+RjK8XobiMUkDMcvGU6UgOqKJ9sMwhVoOBGSAIboXtx P9OF0EfNs5TqNq2Yhy7LI0kfFnXdPP6btp4oBeJDeKRq5oPj2hFJhLx+qI3HlR3ootg7OlA3N5WN re/oppAGOX5cHTu1yz4pRT/9FGrxEaaKeSxe0Wrx6M4G5/WoLsdfEoJI0BNUQ4KpaNyNCwGqOUcw rXf55E8Tb8bmXq4yH8StrboPphDtmrtUkwkDMc9xayd+oZJo2heFY+g6kVWClPVvbW5lVyQanRxw 5rdY2rW50fd1ekaDpmIWc1Vmt3mnxMTQMQWbvBqEXskTQn6USYs98Imn+lZXe3dwYfgVB1xo6dCf BaU/iegBU8a4JeFQEdnPQhC+43fvoyFcFjD271QKpJbBQfY1omPe3z3SufOdwm+zX4yHNlPE0pP2 ie80q3LAG2MiIaIREzT1xNjuO97khcUFBr/guEWv1bdCp3Zd9clP8wSiJZWbJCj+xRrjVmRxpGtS cvUmgj1L/oyUUx5zj9py/kWSdngabV2jZAOanSBpz6Rja2u/0jLGYCt1qOvDlpEdRRdHmbbYznNl +uMAf3vUHiAg/YD+KPysta6u1iHEyuS7GD1uvco67wg2vRPR/JQ1z0J20dDyJOYIJd4MvQ0Nf4Ec bvHO1diDanHV9KirFAIIecsyj+YNTo81GR+jDXFsz/ZQnbbTizvwlZsrbltGiZoUh+c+5pFVgpT1 b21uZVckGp0ccOa2XhkGbmsUNPNkere1WheNsVXmhO8BzADiszcWR9bz/SDtF09JpSbuuCeiIDK0 C/0=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/RKE3lZYO8_jl5BWhoFZQ72aRbf8>
Subject: Re: [Model-t] draft-thomson-tmi
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 01:14:05 -0000

On 7/21/2020 5:01 PM, Watson Ladd wrote:

> On Tue, Jul 21, 2020 at 11:30 AM Carsten Bormann <cabo@tzi.org> wrote:
>> On 2020-07-21, at 16:02, Mirja Kuehlewind <ietf@kuehlewind.net> wrote:
>>> I agree that the even bigger problem is that the user looses control about its data as soon as the data has left their own network and devices. However, that doesn’t mean it is not important to have some control or at least visibility about what data leaves your network. I would say the opposite is the case. The solution to the problem about how your data is maintained is probably regulatory
>> Yes.  The interesting question here is what kind of protocol support is needed to support a regulatory framework.  Доверяй, но проверяй.
>>
>> For instance, I would like to be sure that the data my electricity meter is sending to my electricity broker is what it is supposed to be, and not anything else, whether for criminal intent or gross negligence.  I can just trust my electricity broker and the electricity meter, and I have to trust the broker anyway once they have their hands on the data.  But with respect to what data is leaving my house, it would be better if I had some visibility.
>>
>>> or could be “just don’t install a cloud-backed camera”. Instead, you could probably use a camera that connects to your own gateway to provide this service. However, in this case I really want to make sure that camera really only connects to my gateway and does not also streams the video to the cloud or the police (not even occasionally). At the same time, I guess I still wouldn’t want to block all traffic entirely because I still want to make updates and such. In the end it’s a matter of trust and I might actually trust an independent third-party more than the various IoT companies.
>> Any reasonable model needs to be able to enable доверяй, но проверяй.
> If by reasonable you mean requiring one of several extremely
> complicated tricks to ensure data can be inspected without revealing
> it in plaintext, then this is "reasonable".  Preventing subliminal
> channels is extraordinarily difficult.

Recently, I had a discussion with Paul Vixie about the "LeakyPick" tool
(https://arxiv.org/pdf/2007.00500.pdf). Researchers at TU Darmstadt,
INRIA and North Carolina State develop the tool to audit Internet
connected microphones like Alexa and its competitors. The tool would
play prerecorded sentences in front of the microphone, and see whether
the device picked a word as a keyword. They would verify that by looking
at the encrypted traffic coming out of the device. If the device did not
pick the keyword, it would not send any data, but if it did there would
be a burst of traffic. Encrypted traffic of course, but the activity
could still be detected.

Paul's point was that yes, this could be detected now, but there is no
guarantee that it could be detected tomorrow. If they know they are
being watched, device developers could start adding counter-measures,
like cover traffic. Indeed, doing just that became standard for audio
conferences after attacks where published that detected silence-voice
transitions or length of phonemes in the encrypted traffic. Now, voice
codec just send at a constant bit rate, independent of the variations in
speech. The point is that we may have ways to inspect traffic today, but
that does not guarantee we will be able to keep doing that tomorrow.

Unless of course there is a clear requirement that devices can be
audited -- and we need regulations for that.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email