Re: [Patient] [EXT] RE: Internet Draft posted as requested -

Brian Witten <brian_witten@symantec.com> Fri, 15 December 2017 17:31 UTC

Return-Path: <brian_witten@symantec.com>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 502E7126C3D; Fri, 15 Dec 2017 09:31:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.231
X-Spam-Level:
X-Spam-Status: No, score=-2.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWCM_9TTmwOA; Fri, 15 Dec 2017 09:31:29 -0800 (PST)
Received: from asbsmtoutape01.symantec.com (asbsmtoutape01.symantec.com [155.64.138.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 051841200CF; Fri, 15 Dec 2017 09:31:28 -0800 (PST)
Received: from asbsmtmtaapi02.symc.symantec.com (asb1-f5-symc-ext-prd-snat1.net.symantec.com [10.90.75.1]) by asbsmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id 81.20.35258.0F6043A5; Fri, 15 Dec 2017 17:31:28 +0000 (GMT)
X-AuditID: 0a5af819-80ab69c0000089ba-11-5a3406f0bf0b
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat4.net.symantec.com [10.90.75.4]) by asbsmtmtaapi02.symc.symantec.com (Symantec Messaging Gateway) with SMTP id AB.AA.04178.FE6043A5; Fri, 15 Dec 2017 17:31:27 +0000 (GMT)
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Fri, 15 Dec 2017 09:31:26 -0800
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (10.44.128.3) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Fri, 15 Dec 2017 09:31:26 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8el6zBSQ9ZqYeknPIiu/9pMwLw//9yxAAeB8yRN2I8U=; b=2DdPnpJEFwoRdccUFJwQLA967fDBbM3KWHj8bSCcXjWBqu7sCRdlvi2glG8WtK1iVM9QhUiO6jp/lV499VcKuNz4/p49gQ7wMcjucQIWFrtUUvnJ9BYdMLTClU2PhAQasxJXujmW9IaPQ0/Pedq3ZIAi4lVpdY3Q7y8h5Q+FC9g=
Received: from MWHPR16MB1488.namprd16.prod.outlook.com (10.175.4.146) by MWHPR16MB1487.namprd16.prod.outlook.com (10.175.4.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Fri, 15 Dec 2017 17:31:24 +0000
Received: from MWHPR16MB1488.namprd16.prod.outlook.com ([10.175.4.146]) by MWHPR16MB1488.namprd16.prod.outlook.com ([10.175.4.146]) with mapi id 15.20.0302.017; Fri, 15 Dec 2017 17:31:24 +0000
From: Brian Witten <brian_witten@symantec.com>
To: "Black, David" <David.Black@dell.com>, "patient@ietf.org" <patient@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [EXT] RE: Internet Draft posted as requested -
Thread-Index: AQHTdG3hrR7/CZZMykmDXlV3KMVAN6NDcJ4GgAEyMYCAAAfemA==
Date: Fri, 15 Dec 2017 17:31:24 +0000
Message-ID: <MWHPR16MB14886D3C1CFE600F29918BA1930B0@MWHPR16MB1488.namprd16.prod.outlook.com>
References: <MWHPR16MB14881688FE400E3277CA8A9393310@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889BEE3EB0ED5F328D7C3993370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889B7535153E5844649CA393370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14880A12D15AC58FDD5CEC8793370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488D43F3B53BC7BBE9D836593370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488853B0E4F7BB8E557288D93370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB148845FB069D03625BC399B193370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com> <DM5PR16MB148477E1FAA4C210A3B013F7930A0@DM5PR16MB1484.namprd16.prod.outlook.com>, <CE03DB3D7B45C245BCA0D243277949362FE1821C@MX307CL04.corp.emc.com>
In-Reply-To: <CE03DB3D7B45C245BCA0D243277949362FE1821C@MX307CL04.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=brian_witten@symantec.com;
x-originating-ip: [2605:e000:9394:6500:b45e:d290:dd3d:9478]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR16MB1487; 6:dZ+P+etdFJaZcCYISTJ0LEtRUKL4AXyq5Hg9T9u0PhJPtn1IBhI4HVypD2QOBokhsPYe4V8A7i6/GBsVqdiKv6DLpEsTO0P7Fbx/ztnBWA1YRlEr8M7PJTgEyqYNDzDgGEFwOpGG+DuRotnWYOUxNpeV2yDulwFU7nlXohpbK7WdtT+MBjzzR2ym6BHqMrRkFVqncalDYGgXZDwE7brPKZGVIxJED0kXlv5HafWfZQsN7UI/9AJrMkADyHdYVag+DJ4DwkB5CH28qnpKIXmZv5oEKRJBHNLe98XIbLYdcEtUxqE70JHoE8wvGxezbmgYAjRhWDRZUx2Xw68HvMBiSKfxPoM27ML1xJKvCcJLcC8=; 5:YNDNSZDnKUFMPp4XFG8RhRu58+Ovwm36f6rQ7dzExlQpzftOECJ6oGrQ9OCDP7mZ/xiUxJI60D41et46MUnrD0VFg+DJMbAWTVMkutU1ynXE8wPYB6gKYQgI6b4ZuZvlW/PtS7ZDxO/Z9wXcbvRzqjM9AygkR37zH33Dog4kJYc=; 24:U4ciPkTwcvbNT7GjaXlGhqetg/dBrxE5tSb2h6fKZqi9eZn6aKbJtxV9I/KiL+kdVbUSYgr/x7GaMfRx2WauYM77LkPnZwf7oc07w65a5UU=; 7:RXpk/SrMIcZ1GwWELdoSGNbZ/E50k972infQJWbkc6D+WJfLfCgbJn+jh5WQbFzV6EzW3vQrZ1h8eA8arworaiKCvqnMBGdt1eJdVFskONX0qnvqHEtM/IwkOarFP9dz/3jNEvOWfF0hsxEmWtq9F+v7cl2lQWZBn1qCGYac5pTCmYNIMQT+IGAveqloFNqjp/EJjqQABD6rCiwaFsdF0NJ3MEH7WMr/lGM8moXGpvHe282AsLJUPAt//vnV8AQR
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 14a8b0a6-7972-486e-e388-08d543e1aa38
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603307); SRVR:MWHPR16MB1487;
x-ms-traffictypediagnostic: MWHPR16MB1487:
x-microsoft-antispam-prvs: <MWHPR16MB14874E36CEB6956970740267930B0@MWHPR16MB1487.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(72170088055959)(192374486261705)(258766100185102)(94390896966249)(94626863071701)(56004941905204);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231023)(93006095)(93001095)(6041248)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(20161123555025)(20161123558100)(6072148)(201708071742011); SRVR:MWHPR16MB1487; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MWHPR16MB1487;
x-forefront-prvs: 05220145DE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(376002)(346002)(396003)(53754006)(199004)(189003)(13464003)(51414003)(33656002)(77096006)(6436002)(229853002)(1680700002)(8666007)(106356001)(53386004)(105586002)(6246003)(236005)(54896002)(97736004)(9686003)(6306002)(19627405001)(5660300001)(6116002)(561944003)(53936002)(6606003)(55016002)(2950100002)(2900100001)(102836003)(606006)(74316002)(7736002)(10290500003)(81166006)(8676002)(68736007)(99286004)(93886005)(7696005)(25786009)(110136005)(2501003)(86362001)(53546011)(3660700001)(2906002)(14454004)(316002)(3280700002)(575784001)(478600001)(2201001)(76176011)(966005)(59450400001)(8936002)(6506007)(81156014)(9010500006); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR16MB1487; H:MWHPR16MB1488.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR16MB14886D3C1CFE600F29918BA1930B0MWHPR16MB1488namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 14a8b0a6-7972-486e-e388-08d543e1aa38
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2017 17:31:24.4257 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR16MB1487
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sf0hTURTHue+9bW+jxXNZHo0gRkkYLodigiYWEoqakkgwjHrqM80fs20O FZIplLkUf7BCp7LCpbgKKhMLE2RpOakmEib2y9Qkp1L7Z1my1bY7wX8un/M933vPOZdDk5IR XhhdXK7hVOVsqZQvokSKNBT5ix+jiLpmIuOcxl4qbnUsOs7Q0kgkkSntnR1kitn8h8giFKKE Aq60WMupjiVeFBXpzdqKuRGiaqJ/iNSh+3pCj4Q0MDFgeGv0soiWME4EjxuGBXpE+xNvvgux 7kJQZ7AJcDCBoH5xhsTBKgK39T3lCyimkQTTq3oKZwwEfP3SF3h4HMEN5weBryKfkcGE+xPP x8GMGrq//aV8vIeJh0H7pADrCdBv8VCYT8FKS6e/W4o5DHNTs6SPxUwubFkHAk2N8mFs0eW/ IGTOwJLb5mfE7IPfUw/8l0kmBOaXTYGxGTC/sJOY98LqkoeH/bkw9dAR0OPB5XQIMB+AGdNN 5CsGjFUAjllLICGDobYNhDkDBnsGKGwyI5hq2jZFwMumYQL/awk0dBHY04Ogu3mJbEVy444G jV4bySjhda/Q6B80CGydyxS2yGDuloGP+Sj03V0jMUdCh8dK7dTvIIEFHWTVeeoyjbJSw1Zw UXKZuros33ew3oXKl+Ury54g/0pthj5D45PpVsTQSLpLfN0drZDwWK3XaUVAk9Jg8fqKVxIX sNU1nEp5QVVZyqmtaD9NSUPE7a5whYS5xGq4Eo6r4FTbWYIWhulQcsrpdVnH7X9HQhsWEg7d czpqz2+11CQH96Wx+dM/sqsud2W1pUNs89l6izQqdFmYF+bJnK2zHZdWFBakarJyavvjNps+ 5uq31rQnk+Z07nc6adPT556fqYuJQVfsrY6ZE6M5ufaMkemNR5bYz4VU+HLaGJW521g7vyDP vio8J6XURaw8glSp2f/mNW6HTgMAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTYRTHee692+6WwtOyPGlSLAQxtjQVDE2qDyWkEVQfHIJd9ZJD58s2 paLALEqnYZmKLm2WQ3H2hi9YaSTXqblCUUtNzMiZoCE1EK1My+1Z4JeH3/+c/3nO4XBYWm4W +bGaTAOvy+QyFGIZI1OfYJTfxeHqkIK2g5FOUz0TOd8dFlleWkQdpmPLqqvoWIvlF3WKUsui U/kMTR6v2x9zTpZmtORlT3RSF3ob2+l81GykjIhlAYfDu69SI5KxcryM4Gr5gISIXgQFMyM0 EfMI1oT3jEswuIgGc18BQzLlFHyebqCIsCEodI5vfCBlxVgFvWtTIhf7YD3UfPnNuHgbjoLW oTcSEo+GRus6Q/gozJVWUy5mcCBM2MdoF3vjRFgVmjxDvRJD98yyu0CKT4JjbcDNCO+AFfsj dzGNfWFy1uxmwBgsXUM04e0w71gXEX8i2B8veOJRsOxckBAOgBFzMXI1AyxIYGHM6kmooP3O IiIcD621TQwxWRDYS/6bgqGnpMOz13S4eY8inloENbccnm51NHwqTCa8Cx4+sYpuI6Vp0+Cm jXIaZ0F/vdTkXsBWGKieZYhFBRMV5WLC+6DhwTeasBKq1gVmc7wOSaxoD6dP1msNWgPHZWtC Dqj0F7UprofbuKcUVUqWtgW5L2rV9zka/BMnIMwihZc3ngxTy0Vc3oZTQP4so/D1dgRRajk+ zxn4dJ7P5nVJutwMXi8gipX65aOy4qTQu0Et8WPpZ9uUU6Otb336czpTL41qPlZUCjErOT43 ujqqK5xL033XflaYEy7vjDktxCYtfZh8Mbz3vt8ziPPR/OU1gYqeFf+67sGXiz9Mh56GR4yr HDblluys13lXbLtzJcds/sa5iIBcndeRoNXr/vbh45VdYcbZhIYzzQpGn8aFBtM6PfcP1u0f 2jIDAAA=
X-CFilter-Loop: ASB04
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/DtlPQo_NRv4ab9OYupJFp_vRCPc>
Subject: Re: [Patient] [EXT] RE: Internet Draft posted as requested -
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 17:31:34 -0000

Many Thanks!

Re, "inserted without any form of knowledge or authorization by the endpoint," in fact, PATIENT aims to establish a protocol whereby end-users get visibility into ALL of the "things" (middleboxes) monitoring the communications.

Re "root certs into a browser's trust store," you're absolutely right that this is common practice today.  This practice (without any additional protocols such as what PATIENT could enable) breaks end2end Integrity protection.

As a community, we can do much better.  We can make this much safer, both on end2end cryptographic integrity protection a la Stickler, and giving endpoints/users more visibility into the number of MB's monitoring their communications!

Thank You Again!!


________________________________
From: Black, David <David.Black@dell.com>;
Sent: Friday, December 15, 2017 9:07 AM
To: Brian Witten; patient@ietf.org; saag@ietf.org
Subject: [EXT] RE: Internet Draft posted as requested -

> The logic, in the short form of roughly five points would be:
> ** (1) ** Endpoints have vulnerabilities.  ( unfortunately lots of them.  For
> this part I believe there is overwhelming evidence, but please LMK if you
> disagree. )
> ** (2) ** These vulnerabilities are often difficult (sometimes nearly
> impossible) for device owners, users, etc, to mitigate "in" these endpoints. (
> this is true today for countless devices, and increasingly true for increasingly
> closed devices, particularly in IOT and mobile. )
> ** (3) ** For that reason, those endpoint owners/users/etc often need to
> put some "thing" in the network to mitigate those endpoint vulnerabilities.
> ** (4) ** For that to be effective (against attacks in encrypted traffic), that
> "thing" needs keys to inspect the encrypted traffic.  ( This can be done any of
> many ways, as it's done today. )
> ** (5) ** Where that's done today, it can be done much more safely,
> therefore we should spec standards for how to do it more safely.  ( Lots of
> ideas have been published in research, and I include some details on that
> further below, but maturing the right ones and baking them into a standard is
> of course typically a "bigger group" effort. )
>
> In that framework, I'd love to know which of these 5 points above (if any) are
> agreeable to you, and which specifically you believe are either simply dead
> wrong or the right-best focus of constructive discussion.  For some it seems
> that point (3) above is the most controversial,

Particularly when the "thing" is inserted without any form of knowledge or authorization by the endpoint.

The discussion should be qualitatively different when the endpoint owner/user/etc. is required to do something in order to authorize the "thing" to access the endpoint's encrypted traffic.  A deployed example that may help in thinking about this is insertion of firewall decryption root certs into a browser's trust store to enable a firewall to inspect all encrypted web traffic that enters or exits a corporate network.  This is only an example - these three sentences are *NOT* a proposal to standardize anything ... but they are a report on current "running code" ...

Thanks, --David
----------------------------------------------------------------
David L. Black, Distinguished Engineer
Dell EMC, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953    Mobile: +1 (978) 394-7754
David.Black@dell.com
----------------------------------------------------------------

> -----Original Message-----
> From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Brian Witten
> Sent: Thursday, December 14, 2017 5:59 PM
> To: patient@ietf.org; saag@ietf.org
> Subject: Re: [saag] Internet Draft posted as requested -
>
> Thank you everyone for your comments!
>
> The request in Singapore for an Internet Draft seemed focused on an ask for
> data, so I tried to keep the v00 focused on the data, and concise to be easily
> read quickly, and I thought that I might be going onto a limb beginning to
> present some of the logic, but it seems like many are hungry for more of the
> logic (or "at least some logic" as they might say) so I'll present more of the
> logic.  Of course, much of the logic was presented in the near 40 slides sent
> earlier and roughly 5 pages of Q&A, but I agree with the merits of centralizing
> all of the logic in an Internet Draft, so I'll aim to do that in the v01, and,
> perhaps more importantly, I also hear clearly some of the concerns on how
> the logic was organized (or unorganized or disorganized as some might say) in
> Singapore, so I'll try to be more clearly structured both here and in more
> detail in the v01.  I'll comment on the solutioning further below, but since so
> many seem so hungry for the logic, I'll try present it relatively concisely here
> so that discussion here can best shape the v01 which will pull from the list,
> the slldes, and more.
>
> The logic, in the short form of roughly five points would be:
> ** (1) ** Endpoints have vulnerabilities.  ( unfortunately lots of them.  For
> this part I believe there is overwhelming evidence, but please LMK if you
> disagree. )
> ** (2) ** These vulnerabilities are often difficult (sometimes nearly
> impossible) for device owners, users, etc, to mitigate "in" these endpoints. (
> this is true today for countless devices, and increasingly true for increasingly
> closed devices, particularly in IOT and mobile. )
> ** (3) ** For that reason, those endpoint owners/users/etc often need to
> put some "thing" in the network to mitigate those endpoint vulnerabilities.
> ** (4) ** For that to be effective (against attacks in encrypted traffic), that
> "thing" needs keys to inspect the encrypted traffic.  ( This can be done any of
> many ways, as it's done today. )
> ** (5) ** Where that's done today, it can be done much more safely,
> therefore we should spec standards for how to do it more safely.  ( Lots of
> ideas have been published in research, and I include some details on that
> further below, but maturing the right ones and baking them into a standard is
> of course typically a "bigger group" effort. )
>
> In that framework, I'd love to know which of these 5 points above (if any) are
> agreeable to you, and which specifically you believe are either simply dead
> wrong or the right-best focus of constructive discussion.  For some it seems
> that point (3) above is the most controversial, but others are already asking
> the details of (5) which is where the slides focused, but the v01 will of course
> cover both in depth, and, as promised, I'll give some points on (5) below.
>
> On the solutioning, as mentioned at the side-meeting, lots of solutions have
> been proposed in research communities, but I believe it's important to get
> aligned on the problems we're solving as a community before picking a
> solution.  As mentioned at the side-meeting, solutions proposed by the
> research community include Stickler by Boneh & team at Stanford, plus the
> unfortunately named mcTLS and mbTLS efforts, and more, but I believe it's
> important to get aligned on the problems we're solving as a community
> before picking a solution.  Once we're aligned on (1) through (5) above then
> it makes more sense to get into the specific problems with (4) which (5) tries
> to address, including (a) retaining end-to-end integrity, (b) giving endpoints
> more precise control over when, where, and how such protection is
> delivered from the network, in strong contrast today's all-or-nothing just-
> install-a-root approach.
>
> To address some of the other important questions and concerns raised over
> the past day.
>
> Re, "does not specify a new protocol," many of the potential/candidate
> protocols were mentioned at the side-meeting, in the notes of the side-
> meeting, in the slides presented at the side-meeting, and in the email to
> announce the side-meeting, but I'm happy to add them to the v01 to keep
> everything together in a single Internet Draft.  For context, as Stephen
> pointed out, his ask was not for an Internet Draft of a protocol, but for the
> data (and logic) of why it might help to spec a new and/or additional protocol.
> Re, "It does not specify a concrete problem (use cases)," again these were
> mentioned at the side-meeting, in the notes of the side-meeting, in the
> slides presented at the side-meeting, and in the email to announce the side-
> meeting, but I'm happy to add them to the v01 to keep everything together
> in a single Internet Draft.
>
> Re, "It does not specify any kind of architecture," as above, covered before,
> but I'm happy to add it to the v01 of an Internet Draft to get everything
> together in a single Internet Draft.  These seem like constructive requests,
> even if the material was covered elsewhere already.  Thank You Again!
>
> Similarly, if anything is missing from the notes, I'm eager to be sure this
> discussion fairly and deeply captures _all_ views, particularly opposing views,
> so where there are gaps in the 7 pages of notes we took, those gaps are
> absolutely not intentional.  I'm eager to see any omissions rectified, so
> please send any additions, corrections, etc, either to this list or to me
> personally.  Either way, I'm eager to be sure everyone sees all views and
> hears all concerns and that all of those concerns are included and/or
> addressed somehow in a v01.
>
> Re, "pervasive monitoring should make way for network based monitoring," I
> wasn't trying to say that and in fact, from the slides you can clearly tell that
> PATIENT is aiming to more completely block pervasive monitoring.  Crypto
> helps block pervasive monitoring by listeners in the network.  Pervasive
> monitoring is also possible by hacking all the endpoints, and as presented in
> the side-meeting, we have ample evidence of nation-states attempting to do
> this.  PATIENT aims to make safer prevention of the latter approach to
> pervasive monitoring.
>
> Re, "draft-mm-wg-effect-encrypt," you're absolutely right, and I'll cite that
> work in the v01 for precisely those reasons.  In fact, my aim is to (eventually,
> after we get aligned on scope, etc,) design a protocol that allows network
> security appliances to yet more safely work hand-in-hand with pervasive
> encryption.  I'm not trying to push back against pervasive encryption at all.  I
> suspect I might have to keep repeating myself on that until people believe it?
>
> Re, "So far, I am still not convinced that a SOCKS proxy . connected via a
> VPN, is not sufficient to filter out malicious data."  I believe connecting
> proxies via VPN is a great way to help block malicious data.  I'm also not
> debating the type of proxy to be used.  As you know, and as the slides say,
> and as the v01 will say, I'm saying that when proxies change stuff, it would
> help for the endpoint to know which proxy changed what where.  Stickler
> helps with that.  I think it also helps for endpoints to know more about the
> proxy on the other side of the VPN, but I'd be happy for that to be in-scope
> or out-of-scope for a first WG on this. Re, "from your conversations and
> presentations (not from this document)," you raise a very fair
> point.  Although the original ask was not to put "everything" into a single
> Internet Draft, putting "everything" into a single Internet Draft seems like a
> great idea, so I'll aim to do that with v01.
>
> Regarding "months later," this seems to be at least a mild exaggeration as the
> meeting was one month ago tomorrow.
>
> Regarding "all in a non-verifiable manner," I thought counting phishing
> websites would be easy enough for anyone who really wanted to test a
> hypothesis instead of standing on rhetoric.  PhishLabs seemed to manage
> that OK.  I haven't counted all of the https sites in PhishTank yet, but at first
> glance the fraction seems substantial.  Admittedly, not all of the data is
> directly verifiable, nor did I ever promised that _all_ of the data would be
> directly verifiable, but counting phishing sites seemed easy enough.  Please
> LMK if I'm wrong on that point.  The other sources seem to corroborate each
> other.
>
> Regarding posting to the "Threat Response Blog," we'll consider that, but the
> ask to us was to share more data here so we brought the data here as
> requested.
>
> As a side comment, I'd also note the use of pejorative phrasing.  "argues for
> the mitm attacks on https," . It seems that you're calling "network based
> blocking of malicious webpages" an "attack" when the blocking is actually
> blocking the server's _attack_ against the client.  Where I choose to have a
> network proxy protect from evil on the net, I don't consider that proxy to be
> attacking me.  I consider that proxy to be protecting me, and many
> organizations manage keys accordingly.  We see more and more people
> needing network help in protecting themselves from such attacks, as laid out
> in (1) through (5) above.  I look forward to your feedback there.
>
> Thank you again -
>
> Cheers,
> Brian
>
>
> From: Brian Witten
> Sent: Wednesday, December 13, 2017 3:55 PM
> To: patient@ietf.org
> Subject: Internet Draft posted as requested -
>
>
> Hi Everyone,
>
> With the Wired article last week (  https://clicktime.symantec.com/a/1/rIiJXLn_RcL6DO1kshrfRFngO-jzXx2qnw5My1Gmx-4=?d=acDp1ppr8wHdxscIO4PLDe8sLDUJcnfHSz2clVZzWLBTyzbkEl4RaUhyHkZYo10tyNBxxnXDlN2oWb07cBnksNldu3BSjflTGgm5HQghRGGbipD3c7Nl4rUJ2U65HmVxzWgiiV0Ynq0kqVwskgbtycb-DcPW4Q3IIx1qQwmT66LrRpGVItWeSOY1eY-KLO-F4N7fwc8Z3FJyaKcxhdPsTn4TFe6OkX9MgQJsjXttvbHcoHr_hM1GRoT_HmfV-KyYQemM7RzNkRbb2ES1NQp2v_mmPoMGPwDdPxkuJKGsPg-FY6EFpCQ3EcmayeK9TZhaFUUhH01VFcgm_8Qqb8bYf2vbBDgj-8y_rzqcJ1TA_bvPfjlxvEzOps0yNQl9DH26gAGK9GM5MXxDEZc5xAocAyQ%3D&u=https%3A%2F%2Fwww.wired.com%2Fstory%2Fphishing-
> schemes-use-encrypted-sites-to-seem-legit/ ) ... I wanted to get the
> Internet Draft ( https://clicktime.symantec.com/a/1/1E0rtJCkJI3RRVQJh91qEecCADHsunsL3_elUVceQ0k=?d=acDp1ppr8wHdxscIO4PLDe8sLDUJcnfHSz2clVZzWLBTyzbkEl4RaUhyHkZYo10tyNBxxnXDlN2oWb07cBnksNldu3BSjflTGgm5HQghRGGbipD3c7Nl4rUJ2U65HmVxzWgiiV0Ynq0kqVwskgbtycb-DcPW4Q3IIx1qQwmT66LrRpGVItWeSOY1eY-KLO-F4N7fwc8Z3FJyaKcxhdPsTn4TFe6OkX9MgQJsjXttvbHcoHr_hM1GRoT_HmfV-KyYQemM7RzNkRbb2ES1NQp2v_mmPoMGPwDdPxkuJKGsPg-FY6EFpCQ3EcmayeK9TZhaFUUhH01VFcgm_8Qqb8bYf2vbBDgj-8y_rzqcJ1TA_bvPfjlxvEzOps0yNQl9DH26gAGK9GM5MXxDEZc5xAocAyQ%3D&u=https%3A%2F%2Fwww.ietf.org%2Fid%2Fdraft-witten-protectingendpoints-
> 00.txt ) posted publicly for others to comment sooner rather than later.  Of
> course, feel free to comment here on the list  or just me comments 1:1 at
> bwitten@symantec.com.  Thank You Either Way!
>
>
> https://clicktime.symantec.com/a/1/EZreXTnVcH4VO_SfwFt5e40fv5Kya02XGSioz4HgSnQ=?d=acDp1ppr8wHdxscIO4PLDe8sLDUJcnfHSz2clVZzWLBTyzbkEl4RaUhyHkZYo10tyNBxxnXDlN2oWb07cBnksNldu3BSjflTGgm5HQghRGGbipD3c7Nl4rUJ2U65HmVxzWgiiV0Ynq0kqVwskgbtycb-DcPW4Q3IIx1qQwmT66LrRpGVItWeSOY1eY-KLO-F4N7fwc8Z3FJyaKcxhdPsTn4TFe6OkX9MgQJsjXttvbHcoHr_hM1GRoT_HmfV-KyYQemM7RzNkRbb2ES1NQp2v_mmPoMGPwDdPxkuJKGsPg-FY6EFpCQ3EcmayeK9TZhaFUUhH01VFcgm_8Qqb8bYf2vbBDgj-8y_rzqcJ1TA_bvPfjlxvEzOps0yNQl9DH26gAGK9GM5MXxDEZc5xAocAyQ%3D&u=https%3A%2F%2Fmedia.wired.com%2Fphotos%2F5a25b22aa587381053b48abb%2F191%3A100%2Fpass
> /PhishingHTTPs-FeatureArt.jpg
>
> Phishing Schemes Are Using Encrypted Sites to Seem Legit
> www.wired.com<http://www.wired.com>
> A green padlock might make it seem like a site is secure, but increasingly
> phishers are using it to lure victims into giving up sensitive info.
>
> Looking Forward,
> Brian
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://clicktime.symantec.com/a/1/8r1dfpQVPaT0ym4x10d1AoBGkiwLzbkySDbKaq-1M2Q=?d=acDp1ppr8wHdxscIO4PLDe8sLDUJcnfHSz2clVZzWLBTyzbkEl4RaUhyHkZYo10tyNBxxnXDlN2oWb07cBnksNldu3BSjflTGgm5HQghRGGbipD3c7Nl4rUJ2U65HmVxzWgiiV0Ynq0kqVwskgbtycb-DcPW4Q3IIx1qQwmT66LrRpGVItWeSOY1eY-KLO-F4N7fwc8Z3FJyaKcxhdPsTn4TFe6OkX9MgQJsjXttvbHcoHr_hM1GRoT_HmfV-KyYQemM7RzNkRbb2ES1NQp2v_mmPoMGPwDdPxkuJKGsPg-FY6EFpCQ3EcmayeK9TZhaFUUhH01VFcgm_8Qqb8bYf2vbBDgj-8y_rzqcJ1TA_bvPfjlxvEzOps0yNQl9DH26gAGK9GM5MXxDEZc5xAocAyQ%3D&u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsaag