IETF Logo Mail Archive

Re: [perpass] "Its an attack" BCP draft

Ralf Skyper Kaiser <skyper@thc.org> Thu, 21 November 2013 11:47 UTC

Return-Path: <skyper@thc.org>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB601AD943 for <perpass@ietfa.amsl.com>; Thu, 21 Nov 2013 03:47:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vf80eSx3czMP for <perpass@ietfa.amsl.com>; Thu, 21 Nov 2013 03:47:39 -0800 (PST)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) by ietfa.amsl.com (Postfix) with ESMTP id DA8311ACC89 for <perpass@ietf.org>; Thu, 21 Nov 2013 03:47:38 -0800 (PST)
Received: by mail-ie0-f170.google.com with SMTP id qd12so6737417ieb.15 for <perpass@ietf.org>; Thu, 21 Nov 2013 03:47:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=G+mIpjftHzW0EGbCXCC6ksU3okXXPqC7Ufy+8uJv0x8=; b=A7AUYxholtMDPgFIfls6ilFpJFnvejO20otCLm0M+flASZNBtdVFsIdKQCI0HpCxsb 1zmeliplEjO1ETkupAwdlDGuGXOFqT0qnhW0GhD1gVFXY5XxHgLj8y44RLPTDE86fN7V i1V6mzPGK15BTmlFzEadL9maKCTZZtmSALDio=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=G+mIpjftHzW0EGbCXCC6ksU3okXXPqC7Ufy+8uJv0x8=; b=DRjaP/lO5JQ21a2JwTRBwwYl+JyrcutKxmhJ6FlKVzLZr6/2LI9m97q5nZ9SOLP1KH kXZ6zXPlsVMHdBtDnlNFIyc9LXtI8NPgxJjvb1JIazW4VplKz5P+aA4wEVGeumv2yNp9 SFEEfEwUI3N7vV2Q5E8lQKCVSbWHJdhr1fkuQ6uE8wzxORQu6uz+CtGCoyNYvdZto/hV r7sb6y0HDja5nAml5S24XIIrnBfDNAlBBhFrGDrQOKUNEcyhkz96RIII9CbSbOwi0U/k 1hiMJOJEdmio+jpx+cwOGppaWaEGy5riPhhvrn1WY3yjJuGAEEYlGQTKU55dgveQpeOe iudg==
X-Gm-Message-State: ALoCoQmePsVqVhLrW3ei1w/UUR9I7QvBDOPVimfMryIu/aCxgBQZBm8YVFTF5hgEWBqbnoP3N2vH
MIME-Version: 1.0
X-Received: by 10.50.73.130 with SMTP id l2mr20286751igv.36.1385034452117; Thu, 21 Nov 2013 03:47:32 -0800 (PST)
Received: by 10.64.9.41 with HTTP; Thu, 21 Nov 2013 03:47:32 -0800 (PST)
X-Originating-IP: [87.106.82.87]
In-Reply-To: <528D34D7.1010303@cs.tcd.ie>
References: <528D34D7.1010303@cs.tcd.ie>
Date: Thu, 21 Nov 2013 11:47:32 +0000
Message-ID: <CA+BZK2pKpbJaGNWOeM22QQ1kVBdXuxAz99eX4jBz38HqWOBVjQ@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: perpass <perpass@ietf.org>
Content-Type: multipart/alternative; boundary="089e01160edc8541e404ebae762f"
Subject: Re: [perpass] "Its an attack" BCP draft
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 11:47:41 -0000

Hi,

"...pervasive monitoring significantly more expensive or infeasible"

Recommend to remove 'significantly'. (otherwise there will be an argument
what 'significant' means. 1M USD? 10M USD? And how expensive is it anyway
to send a RST to 240M users? 1 cent? 1 Dollar?).

"...pervasive monitoring" means very widespread privacy-invasive gathering
of protocol"

Recommend to remove 'very' and 'privacy-invasive'. "Pervasive monitoring
means widespread gathering of protocol ...".

RFC1984 had more detail and these specifics in RFC1984 were helpful.  Some
specifics for this I-D:
ENCRYPT EVERYTHING
SECURITY BY DEFAULT
....please add?...

I-D does not touch regulatory changes (liability of service providers
towards its users and neglect when failing to support HTTPS for example).
Wish it did. (One reason why the internet is not secure is because the
manufactures get away shipping products that have all security features
disabled by default...or with default 0000 pins). (RFC1984 did mention
regulatory problems [export control] for example).

Rest is awesome!

regards,

Ralf




On Wed, Nov 20, 2013 at 10:16 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie
> wrote:

>
> Hi all,
>
> Following up on item 3a from the status/plan mail [1] I sent
> last week, Hannes and myself have written up an I-D [2] that
> tries to capture the consensus in the room from the Vancouver
> tech plenary and we're proposing as a BCP.
>
> We're deliberately trying to keep this short and sweet and to
> not (yet) go beyond what was the gist of the hums - we think
> progressing e.g. the threat model or the privacy BCP or other
> bits of related work is liable to take longer and there's value
> in documenting that the IETF as a whole has consensus on the
> most significant bit first so those and other bits of work
> don't all have to re-establish that as they are processed.
> Hopefully we can all easily agree that that's a useful target
> and focus comments on whether on not we've expressed that
> consensus well or not.
>
> <boring-bit>
> We've been bouncing versions of this around amongst the IESG
> and IAB for the last week, and process-wise, that has been
> fun already. As you'll see from section 3 of the draft, we can
> no longer just shoot out an RFC agreed by the IESG and IAB so
> the plan for this is that when Hannes and I figure this looks
> ready, based on your comments, then we'll ask Jari to start a
> 4-week IETF LC for it. When he thinks that's ok he'll start it
> and then we'll see how that goes. Assuming that goes well, then
> sometime during IESG evaluation the IAB will decide if they
> like the final text (or not, which'd be "interesting") and if
> they do then an IAB note saying "yep, we like it" will be added
> sometime during/after IESG evaluation before this goes to the
> RFC editor. In an ideal world, you'll all love the -00 already
> and tell us that and we'll be done with all of the above super
> duper process stuff by the end of the year. (Haven't we built
> ourselves a lovely crazy process? ;-)
>
> I really hope we don't end up with a process debate over this,
> since the above, silly and all as it is, should achieve the
> desirable outcome which is a simple BCP, approved by the IESG
> after an IETF LC and also supported by the IAB. The value in
> that is that it seems to be as close as we can get to the same
> setup as RFCs 1984 and 2804 which is the right kind of heritage
> for this one. So there is a reasonably good reason for the
> process-crap.
> </boring-bit>
>
> Anyway, ignoring process, comments on this are welcome, so
> please take a read of the two pages of content and let us know
> what you think. If you do think its already good enough for
> starting an IETF last call, then saying that is useful as well.
>
> And since the IETF LC will happen on the ietf@ietf.org list,
> using this list for initial processing should be fine.
>
> Cheers,
> S.
>
> [1] http://www.ietf.org/mail-archive/web/perpass/current/msg01016.html
> [2] http://tools.ietf.org/html/draft-farrell-perpass-attack
> _______________________________________________
> perpass mailing list
> perpass@ietf.org
> https://www.ietf.org/mailman/listinfo/perpass
>

v2.23.0 | Report a Bug | By Email