IETF Logo Mail Archive

Re: [perpass] Howdy!

Dean Willis <dean.willis@softarmor.com> Fri, 13 September 2013 17:12 UTC

Return-Path: <dean.willis@softarmor.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3220321E80B6 for <perpass@ietfa.amsl.com>; Fri, 13 Sep 2013 10:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.143
X-Spam-Level:
X-Spam-Status: No, score=-101.143 tagged_above=-999 required=5 tests=[AWL=-0.958, BAYES_40=-0.185, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkHl5dIZisj8 for <perpass@ietfa.amsl.com>; Fri, 13 Sep 2013 10:12:45 -0700 (PDT)
Received: from mail-ob0-x235.google.com (mail-ob0-x235.google.com [IPv6:2607:f8b0:4003:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id B1F1911E8171 for <perpass@ietf.org>; Fri, 13 Sep 2013 10:12:45 -0700 (PDT)
Received: by mail-ob0-f181.google.com with SMTP id gq1so1325738obb.40 for <perpass@ietf.org>; Fri, 13 Sep 2013 10:12:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=softarmor.com; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=pvH31k2SCnmnQEHLzJKvxuHPcniYXYUfkhx4MHjHyjc=; b=Ppnf8pToLXh3kIPwrVx+cbYDmUmdSrQUoIg7d0BTe1Uf8AGBGfsj84KlSbTiDqcHc8 lM4mWMOarVm6WMKxTh92DXIozvDt/F1MnAIAeINNKAmernzaI3JHp5rT1n+wAPLQGG5j nYnaJ2Nc2yPz8mqU4X0nsh1QXgjAZagSnaAxw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=pvH31k2SCnmnQEHLzJKvxuHPcniYXYUfkhx4MHjHyjc=; b=MmHUWdLZB/+ZilwY9k25qJWMugR4qFIi+hWuXuuSf14sQbdL35fgakT3/tp7iO/YL5 yDAtFPYsIy2pSwUILukOwyzhUiHYcHsIQ/NYTwvw/+SN4VSBjEuM2bNTNE9WNMs7Rkhp hHYmRhNAzbnWqccYo8RvU4chmBy439ZPYSUfkZ4v1NboMnVOG1wrvmh1+euehlCbVUZe QHQKFM8VxDzZA2bY5ZLpsXQZXPErR7IZLWTuIjHCgI4vrD/Mp+70vxb+5QX4C77WSDhv 0Fxbsv3HzqilBpoLNTuDIKHSeE55T/GdZOUG6kNRKplxrxO03Wph/hb8+/dPQ3kg+d20 +6Yw==
X-Gm-Message-State: ALoCoQk6SKeNKqPkqW2Alwwg5VD/OeM3kSLtqzjWyEdCVcLRed0mnfjOwnikATZEnzPiqRTyrwsk
X-Received: by 10.60.56.3 with SMTP id w3mr13124030oep.37.1379092364181; Fri, 13 Sep 2013 10:12:44 -0700 (PDT)
Received: from [192.168.2.112] (cpe-72-181-157-19.tx.res.rr.com. [72.181.157.19]) by mx.google.com with ESMTPSA id r6sm15363089obi.14.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Sep 2013 10:12:42 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_7D421480-A173-4256-A69A-38FB3821E25D"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Dean Willis <dean.willis@softarmor.com>
In-Reply-To: <522E17F9.4000206@bbn.com>
Date: Fri, 13 Sep 2013 12:12:40 -0500
Message-Id: <7DA623C5-E8C4-437F-BFC9-0CDD350853A8@softarmor.com>
References: <CAOHm=4ujOYTHO63EFWMYJBgxUWq00zezYKAJ8B4Vgf_C=xRRVg@mail.gmail.com> <5224DF25.60503@cs.tcd.ie> <7C92613E-33E8-48A6-A152-E9DBB29DEC04@softarmor.com> <522A328A.5060008@cs.tcd.ie> <522E17F9.4000206@bbn.com>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1508)
Cc: perpass@ietf.org
Subject: Re: [perpass] Howdy!
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The perpass list is for discussion of the privacy properties of IETF protocols and concrete ways in which those could be improved. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 17:12:47 -0000

On Sep 9, 2013, at 1:48 PM, Stephen Kent <kent@bbn.com> wrote:

> Stephen,
> 
> Since you solicited feedback ...
> 
> We have had considerable, recent, experience with the need to avoid adding delay to a user's web experience (e.g., "Happy Eyeballs") in the v4/v6 transition context. Suggestions that we increase delay in favor of security are not likely to be well received by users or service providers.

Too bad. We can try to minimize the impact, but a net that gets you killed because the wrong person heard you say the wrong thing is worse than one with slightly less bandwidth or temporal QoS.


>>> I think there are a couple of principles that we need to adopt IETF-wide.
>>> 
>>> Part of the definition of "good Internet citizen" for a protocol or application is that not only does that protocol/application include anti-surveillance principles for itself, but that it helps OTHER protocols avoid surveillance. Surveillance-resistance is MORE IMPORTANT than optimizing transport efficiency.
> given the quantity of meta-data (and personal data) collected by Google, Facebook,
> and many other commercial entities, and the willingness of users to supply such data, it's hard to believe that most users would agree with this statement.

Perhaps. But unless one accepts it as a principle, one is doomed to build surveillance-friendly networks.

>>> 1) Everything SHOULD be encrypted, unless there is an absolute operational requirement not to. This means "encryption by default" in new protocols, and not even specifying unencrypted operations modes unless necessary. Older protocol specs still in use should be revised to require encryption. Deprecate the non "s" versions of protocols.
> One of the reasons many enterprises decline to employ e-t-e encryption within their
> nets is because it interferes with debugging and scanning of traffic for malware. While
> I am in favor of mandatory to implement encryption for our protocols, mandatory to use
> is not a good idea in all cases.

I've been enterprise IT. And enterprise security. Most of their security problems come form their own people abusing the loopholes. Sure, the IT department is lazy. But once the "generally accepted best practices" require e2e, they'll play along. remember, corporate policies are driven by generally accepted best practices such as GAAP for accounting.

Note that, at least under US law, the management of a corporation is subject to legal attacks from shareholders for losses related to the failure to deploy generally accepted best practices for information security.

 A listing of best practies is here:

http://www.wpi.edu/academics/CCC/Policies/bestpractices.html

Note that they're written by people like CDT (an officer of which edited our privacy RFC), NIST, and other bodies that we influence.

An Internet BCP can go a long way in addressing these things.

>>> 2) Well-known ports should be avoided. Or overloaded to the point where the port number is no longer a significant indicator to the application. This gives rise to the "everything over 443" mentality, which we need to find a way to handle gracefully. Demuxing the service within the channel is a better idea than I used to think.
> others have already noted that this is a bad idea from a protocol perspective. in an era when many folks try to minimize the number of round trips needed to provide a service to a user, this add to the total. again, while security folks might see this as attractive, I
> doubt that many users and service providers wold agree.

Everybody wants something for nothing. See Best Current Practices.

>>> 3) Packet sizes should be variable, preferably random. This is the opposite of the "discover the MTU and fill every packet" model of efficiency. Or, we could make all packets the same fixed size by padding small ones. I like random better, but there might well be some hardware optimizations around fixed packet sizes.
> we have long understood what it takes to provide TFS, and nobody has wanted to waste the bandwidth to do it properly. I doubt that this view has changed.

Should it? Who funds BBN, anyhow? What's your motivation for making choices that increase surveillance? 

Yeah, that's an ad hominem attack . But we're going to get a lot of those, and need to have a great deal of confidence in our answers. "Nobody wants security" is probably not a good enough answer … Nor is "Security costs too much", especially until the costs have been more completely quantified -- including the costs of making systems that nobody will buy because they don't want to spill their guts to our friends at Meade. Even the least suspicion of pro-surveillance bias needs to be avoided for the results to be credible.

>>> 4) Every protocol spec needs to include a pseudonymous usage model, and most should include an anonymous usage model.
> Use of pseudonyms is applicable to very few of our protocols, and most of the ones where it
> is applicable, it is already satisfied. Anonymous use, depending on the definition one
> uses, may be easy or nearly impossible.

Admittedly, the definition here is tricky. Plausible deniability only works for guilty-beyond-a-reasonable-doubt, which is missing in a number of domains. But there's a lot here we can do that we don't.

>>> 5) New protocols should be built around end-to-end crypto rather than relying on transport-level wrappers for everything. It's too easy to use a compromised CA-cert to dynamically build a TLS proxy cert. Some level of key delivery out-of-band, coupled to in-band footprint verification, is probably needed. zRTP is a good model.
> see comments above re #1.

Ah yes, the old "if we build E2E, nobody will use it" argument. I find that to be an extremely suspicious argument, but recognize it and its kin have, for many years, led us down a rabbit-warren of bad choices, resulting in the problem we have today.

Get over it.

>>> 6) Randomizing interpacket timing is useful. This does all sorts of horrible things to both TCP optimization and the jitter buffers in real-time communications. But it's worth it. Remember, surveillance-resistance is MORE IMPORTANT than efficiency.
> not, it's not worth it. see comment above re #3.

respectfully, either you're playing for the other team, your value-system is inconsistent with mine (and consistent with that of a surveillance state), or both.

If surveillance resistance weren't more important than security, we wouldn't have TOR.

>>> 7) Peer-to-peer, DTN, and peer-relay (TURN, for example) all have lessons we should learn. So does TOR.
> DTN is great for the interplanetary Internet. I prefer realtime performance for almost all of my Earth-bound Internet apps. I suspect other users fell the same way. P2P is fine
> for some apps, but not all, maybe not even many.

But the concepts of peer-validation, explicit (rather than hidden) intermediaries, 

>>> 8) Every piece of crypto-advice needs serious, multiparty, international, and aggressive review. No more documents authored by NSA shills (which Schneier says we seem to have).
> I think we have generally good review for the algs we choose; we periodically review algs and key sizes and make revisions as deemed necessary. We have folks like David McGrew (Cisco) providing much of this expert review. I think we have operated in this mode for many years.


Regrettably, and as a former Cisco employee, I can tell you that folks there also face certain pressures from state actors. I'm sure this is true of most folks. David may be a saint. He might be a devil. But as an external party lacking the expertise, I have no way of telling if his position is biased against my objectives.

So unless we have widespread review, from people likely to be in the influence of multiple and conflicting actors, we really haven't had a review. How widespread? I'm not exactly sure -- but it means more than one review, from more than one company, from more than one sector, and from more than one nation-state at a minimum. Trust is really hard; our best substitute is a very widespread consensus. 

Arguably, the mode that we've operated in for many years has given us a rather bad current situation. Perhaps we should reassess "good enough".

--
Dean

v2.23.0 | Report a Bug | By Email