Re: [Patient] Internet Draft posted as requested -:$
Paul Wouters <paul@nohats.ca> Thu, 14 December 2017 02:21 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: patient@ietfa.amsl.com
Delivered-To: patient@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F8221200F1; Wed, 13 Dec 2017 18:21:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1yMecKFGujHV; Wed, 13 Dec 2017 18:21:23 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63958127517; Wed, 13 Dec 2017 18:21:23 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3yxy3h1npfzCt4; Thu, 14 Dec 2017 03:21:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1513218080; bh=gWH4ePG+U+FIuTSGgFFV+6Vo/jBrE/JZDApx7cBZFso=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=WFkC248HXe8q853r7C4QdvKyBvQtsyDPSbERDwPc4UZxg3vohjvughgFR87yLTzMv XnwqrqAtfScCxIYuuMRjpq8tm3dtofXlkAkq7qJD0wYqhCk3+yFa4RNzIwiGhhOLw7 w7b9s4xeMTNNPkMIOZwnfDtPryYDHr/Bf4YObeC8=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id l-2JW9aQsRVD; Thu, 14 Dec 2017 03:21:18 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 14 Dec 2017 03:21:17 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 161F070A3FA; Wed, 13 Dec 2017 21:21:17 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 161F070A3FA
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 12AE24070CE2; Wed, 13 Dec 2017 21:21:17 -0500 (EST)
Date: Wed, 13 Dec 2017 21:21:16 -0500
From: Paul Wouters <paul@nohats.ca>
To: Brian Witten <brian_witten@symantec.com>
cc: "patient@ietf.org" <patient@ietf.org>, saag@ietf.org
In-Reply-To: <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com>
Message-ID: <alpine.LRH.2.21.1712132056130.28112@bofh.nohats.ca>
References: <MWHPR16MB14881688FE400E3277CA8A9393310@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889BEE3EB0ED5F328D7C3993370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14889B7535153E5844649CA393370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB14880A12D15AC58FDD5CEC8793370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488D43F3B53BC7BBE9D836593370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB1488853B0E4F7BB8E557288D93370@MWHPR16MB1488.namprd16.prod.outlook.com>, <MWHPR16MB148845FB069D03625BC399B193370@MWHPR16MB1488.namprd16.prod.outlook.com> <MWHPR16MB1488848D7AC828EBB8DA90B093350@MWHPR16MB1488.namprd16.prod.outlook.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/patient/tcJhvEgda_BHV62FYe9UI_3KSwM>
Subject: Re: [Patient] Internet Draft posted as requested -:$
X-BeenThere: patient@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Protecting against Attacks Tunneling In Encrypted Network Tunnels <patient.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/patient>, <mailto:patient-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/patient/>
List-Post: <mailto:patient@ietf.org>
List-Help: <mailto:patient-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/patient>, <mailto:patient-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 02:21:26 -0000
On Wed, 13 Dec 2017, Brian Witten wrote: [ Adding saag@ietf.org for now, as I don't think many of the security people made it to the new patient list yet ] > I wanted to get the Internet Draft ( https://www.ietf.org/id/draft-witten-protectingendpoints-00.txt ) This document confuses me. - It does not specify a new protocol - It does not specify a concrete problem (use cases) - It does not specify any kind of architecture The Abstract states: This document describes the logic for third-party and network security to complement strong cryptographic protocols, and presents data, including independently verifiable data, helping scale the importance of blocking attacks that might be hiding in encrypted network traffic. This report includes data from multiple sources. Some of that data is verifiable. What logic does it specify? What complementing security does it specify? The conclusion states: Precluding network based protection for endpoints is not consistent with the imperative to treat mass surveillance as an attack. Mass hacking of endpoints is surveillance by another means. Equating the number of compromised hosts with the number of visible hosts to a pervasive monitoring agent makes no sense. But more importantly, you state that pervasive monitoring should make way for network based monitoring (or rather, "voluntary" host based extrusion of privacy to (un)trusted third parties). This obvious comes with a huge problem of designing an "opt-in" protocol that a nation state can abuse to be "never opt-out" As much as I don't like draft-mm-wg-effect-encrypt for fear of security companies grasping at it for a justification of pushing back against end to end encryption, if you read that document, it does a much better job of neutrally informing people of the issues of deplying endpoint encryption (which I prefer to call "pervasive privacy"). If you remove that content from your document, nothing much is left. I know from your presentations and conversations that you believe hosts securly connecting to a proxy is not good enough to solve the issues you deem exist. Your document should instead focus on that. Which current IETF protocols are in use to achieve endhost security, why are these no longer feasable, what changes do you need to make this work. You don't need to present statistics about security failures. So far, I am still not convinced that a SOCKS proxy or even a DNS proxy, connected via a VPN, is not sufficient to filter out malicious data. Again, from your conversations and presentations (not from this document) I know you are looking at endnodes giving out private key material to a trusted third party. Convince me why this is required from a protocol point of view, not a business model point of view. The fact that your collegue's email showed leakage of such "protection" system by leaking https://clicktime.symantec.com/ links in response to an ietf email does not help be gain confidence that I should change a security protocol to facilitate the protocol modifications presented at the BOF. Paul
- [Patient] Internet Draft posted as requested - Brian Witten
- Re: [Patient] [EXT] Internet Draft posted as requ… Mingliang Pei
- Re: [Patient] Internet Draft posted as requested - Bret Jordan
- Re: [Patient] Internet Draft posted as requested … Paul Wouters
- Re: [Patient] [saag] Internet Draft posted as req… Peter Gutmann
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] Internet Draft posted as requested - Brian Witten
- Re: [Patient] Internet Draft posted as requested - Paul Wouters
- Re: [Patient] [EXT] Re: Internet Draft posted as … Brian Witten
- Re: [Patient] Internet Draft posted as requested - Black, David
- Re: [Patient] [EXT] RE: Internet Draft posted as … Brian Witten
- Re: [Patient] Internet Draft posted as requested - Bret Jordan
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [saag] Internet Draft posted as req… Diego R. Lopez
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [saag] Internet Draft posted as req… Black, David
- Re: [Patient] [saag] Internet Draft posted as req… Stephen Farrell
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Brian Witten
- Re: [Patient] [saag] Internet Draft posted as req… Paul Wouters
- Re: [Patient] [saag] Internet Draft posted as req… Melinda Shore
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Brian Witten
- Re: [Patient] [saag] Internet Draft posted as req… Diego R. Lopez
- Re: [Patient] [saag] Internet Draft posted as req… Bret Jordan
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Mark Kennedy
- Re: [Patient] [saag] Internet Draft posted as req… Melinda Shore
- Re: [Patient] [saag] Internet Draft posted as req… Roland Zink
- Re: [Patient] Internet Draft posted as requested - Roland Zink
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Tero Kivinen
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Black, David
- Re: [Patient] [saag] Internet Draft posted as req… Bret Jordan
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Tero Kivinen
- Re: [Patient] [EXT] Re: [saag] Internet Draft pos… Stephen Farrell
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Peter Gutmann
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Michael Richardson
- Re: [Patient] [saag] [EXT] Re: Internet Draft pos… Michael Richardson
- [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] the IETF participant choice Ted Lemon
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] the IETF participant choice Ted Lemon
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Brian Witten
- Re: [Patient] the IETF participant choice Benjamin Kaduk
- Re: [Patient] the IETF participant choice Eggert, Lars
- Re: [Patient] the IETF participant choice Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Tony Rutkowski
- Re: [Patient] [EXT] Re: the IETF participant choi… Brian Witten
- Re: [Patient] the IETF participant choice Kathleen Moriarty