IETF Logo Mail Archive

Re: [Model-t] w3c also thinking about threat models

Bret Jordan <jordan.ietf@gmail.com> Mon, 23 September 2019 20:47 UTC

Return-Path: <jordan.ietf@gmail.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A23B120232 for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 13:47:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95gOa54bcHAc for <model-t@ietfa.amsl.com>; Mon, 23 Sep 2019 13:47:07 -0700 (PDT)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52CA41200F7 for <model-t@iab.org>; Mon, 23 Sep 2019 13:47:07 -0700 (PDT)
Received: by mail-pg1-x529.google.com with SMTP id i30so2927320pgl.0 for <model-t@iab.org>; Mon, 23 Sep 2019 13:47:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=X0vSegpC0E6MV+sjr9/EmFyIuXor+JX4u9T9gKY03GU=; b=UXap9unHasMhzGUrKZKuyrF95aH9z6UrncYOncB4UaLFLhBO2i9kSLvKD3pks7IidX Sxia1NVdAxIuRu7f3DyBeyFDLEIgTH/FykoEqMkqYleRAE7+bcPRK/ZjYfMKr8UbTHAc cGKR336n1UsoCb9NJ0y2azXLQVrIho9PfSavGlQ/JIU81rRkH+VH1Ej6X++oMPhphfNk eUYbuOPhzfwAXTnrnvo3fR7ACh/kNYJz1jYFLbIPMZ5E+nr6j9O/LCqa2hjhB5/Q9u/c 8omgRmtX1aS7XbAHuhILd2thkht8qSGdMk5oxICSP4UoZ2PzPPkpWRrQFdEUZ+30YTmB h0Ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=X0vSegpC0E6MV+sjr9/EmFyIuXor+JX4u9T9gKY03GU=; b=mSDMsiPDnuWc9YCbtVd1zDF+CmlmOo6HRiH6/MAWogrGdMNjTgIf/0clGghMKVZJk/ NxWzf3TTdtGln1EXrl87jVfK1kTezWUaO4+sauXefdf28wDIaKX1XGnr9awpEheDYmC/ NOWFuDOVb5rn1APhIZmSKQf+zS53eRztkF9XE0U52HXHYkeMjjLbRoJkD8Jwjuwo/Pe4 OLHAEhNcTPXGLjEZHO8Oi0LKYQahcjeSEHWJqOtQqv89cFrqJw/GH5eBi4EKheJosqeb Zx37dsL4/bqoDeyWw35Dy5zijOkVPOURLDie3ztA3Xf/X+lEIQndz14nOWhR/GgiQVJK b8Tw==
X-Gm-Message-State: APjAAAVgxPZz64VGGtG+JsMJhEXoE45zkUKGbL2Xz3f4SKa5Ko2oIiEp jsHXcRckItvtKA4mrl6dDse8csja
X-Google-Smtp-Source: APXvYqxb0xkBQ0uB1jGXjV0lVvmu/tS0XUWL+ia4YavNPpAivIv60UyZ0ZmReb/MbZN3LvUsMJ2kAw==
X-Received: by 2002:a17:90a:f010:: with SMTP id bt16mr1452379pjb.33.1569271625657; Mon, 23 Sep 2019 13:47:05 -0700 (PDT)
Received: from [10.128.64.149] ([136.60.227.81]) by smtp.gmail.com with ESMTPSA id z20sm11576890pjn.12.2019.09.23.13.47.04 for <model-t@iab.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Sep 2019 13:47:04 -0700 (PDT)
From: Bret Jordan <jordan.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F3A4545B-0482-4B34-96B2-8C3F918832D8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 23 Sep 2019 14:47:03 -0600
References: <a327c668-6a17-bb9f-318e-e3cea6c6c1d0@cs.tcd.ie> <624F4CA6-8D84-4BD8-A74C-E5AE22709F72@lastpresslabel.com> <A30308F8-D2A5-45CF-88D9-D65240972D51@gmail.com> <27c70832-a631-4622-6119-3a47928c634e@cs.tcd.ie> <49EC2254-981B-4B79-9116-AC24385C2287@gmail.com> <e22b6512-ec19-24dd-56fa-38ac87d1a321@cs.tcd.ie> <D68AA072-F5A6-4535-8CB3-AE9ADD07476D@huitema.net> <65703c0a-9148-077f-53d8-4781419b6b50@joelhalpern.com> <CACsn0ckS-m5p3cc7T9TT0ejkbEphUWgjjsqOcaW7Bx4vOU6=PA@mail.gmail.com> <941e9585-2828-4e9f-1279-08e487f6b499@huitema.net>
To: model-t@iab.org
In-Reply-To: <941e9585-2828-4e9f-1279-08e487f6b499@huitema.net>
Message-Id: <F9FBC731-A2FE-404F-873F-0CE1239A26E3@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/SJF1s4VBvfsLhpBpYhaQw75Uwsw>
Subject: Re: [Model-t] w3c also thinking about threat models
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 20:47:11 -0000

The security model needs to be more than just “can passive third parties see the traffic”. We need to make sure we understand and call out the operational security aspects of things we create here. 

Thanks,
Bret
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Sep 23, 2019, at 1:52 PM, Christian Huitema <huitema@huitema.net> wrote:
> 
> 
> 
> On 9/23/2019 9:26 AM, Watson Ladd wrote:
>> 
>> 
>> On Mon, Sep 23, 2019, 11:07 AM Joel M. Halpern <jmh@joelhalpern.com <mailto:jmh@joelhalpern.com>> wrote:
>> It seems pretty clear to me that if we take the view that everything is 
>> in scope, we will not produce any useful improvements in our current 
>> security considerations in any reasonably measurable time.
>> 
>> It seems to follow that if we want useful results, we had best find 
>> somewhere to draw a line and agree that we will deal with some 
>> well-defined scope.
>> 
>> Of course, if all people want is a place to complain about the 
>> interaction of architecture, protocol, implementation, and underlying 
>> hardware flaws, I guess we can just complain forever.
>> 
>> Amen! But I think we can look at actual gaps in the network security model vs the host security model vs what programmers and users expect etc. XSS can be seen as a consequence of lacking quotation mechanisms in server interpolated strings.
>> 
>> We also shouldn't privilege one use case over others.
> 
> To answer Joel, I think there is a middle ground between "everything is in scope" and "we don't worry about the implementation of the endpoints". Clearly, we cannot address the multiple ways in which endpoint security fails. On the other hand, we can accept the possibility that endpoint security will sometimes fail, and incorporate that in the threat model. Endpoint security failures often only affects the endpoint itself, such as "get a virus, lose your files". I am not proposing that the IETF discusses that. But many times, endpoint security failures affect a number of other systems. 
> 
> For example, we recently saw attacks in which the hackers gain possession of one of the replicated DNS servers for a TLD, which allowed them to put up a fake web server for a domain inside that TLD and attempt to capture login credentials for users of that domain. The attacks was not perfectly executed, but it seems that they could also have obtained valid TLS certificates for that TLD using automated services. Single point of failure, fairly bad results. If that is not in scope for the revised threat model, what is?
> 
> -- Christian Huitema
> 
> -- 
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t

v2.23.0 | Report a Bug | By Email