Re: [rtcweb] Security Architecture -07 review

Dan Wing <dwing@cisco.com> Fri, 26 July 2013 00:34 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEC0E21F8749 for <rtcweb@ietfa.amsl.com>; Thu, 25 Jul 2013 17:34:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.556
X-Spam-Level:
X-Spam-Status: No, score=-110.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9YVctOunObA for <rtcweb@ietfa.amsl.com>; Thu, 25 Jul 2013 17:34:28 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com [173.36.130.12]) by ietfa.amsl.com (Postfix) with ESMTP id C2A2921F86BE for <rtcweb@ietf.org>; Thu, 25 Jul 2013 17:34:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1948; q=dns/txt; s=iport; t=1374798868; x=1376008468; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=yFfguRhPYuUe+b8VlHoDDkTjS8kiZEiry7vhfGj+s8c=; b=Un9D5haSuCsrp7czFE+nI8MT7AGGQtAyjXy8LXrElrN+p1YjqrVfMSBq paOF0utd7n29U8zYkl0zTqrmk3vop4EADWYn+l4MvzVhnEMIYr9lJkuPy jE9ryfBUZXUg5lay0nLCKuZNeohqnGVYVqgFKjI2lxuA2+yI3hX4fkYVt 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhAFAF7D8VGrRDoH/2dsb2JhbABRCYMGvmmBFBZ0giQBAQEDATo/BQsLEgYuISgOBhOHfgMJBbAoDYhejRWBMIEFMweDEm4DiSqMTIFpjCeFJoM0HA
X-IronPort-AV: E=Sophos;i="4.89,746,1367971200"; d="scan'208";a="84221360"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-1.cisco.com with ESMTP; 26 Jul 2013 00:34:28 +0000
Received: from sjc-vpn7-2043.cisco.com (sjc-vpn7-2043.cisco.com [10.21.151.251]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r6Q0YR6K017162; Fri, 26 Jul 2013 00:34:27 GMT
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <CABkgnnXq4fJf2dCTKaU_O1LLagVVKqnwnnLXS4ZmEwyH+5wKZQ@mail.gmail.com>
Date: Thu, 25 Jul 2013 17:34:27 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <22027904-8F7D-4CB7-B002-39973D201D7A@cisco.com>
References: <CABkgnnWUZXBRneGnRsA9Xo-rrdw7nAsBR+5SL6SRyjbR+Egfgw@mail.gmail.com> <D96D0971-E3A7-4E96-B3F4-83C2044252B7@cisco.com> <CABkgnnW71aGwgaX3oBYofQaHP7pFyyh9mGifXdFL=NYiJ+qfYw@mail.gmail.com> <3F737E1C-BBF9-4399-8B7D-B50FB4A2FFC0@cisco.com> <CABkgnnXq4fJf2dCTKaU_O1LLagVVKqnwnnLXS4ZmEwyH+5wKZQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Security Architecture -07 review
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2013 00:34:33 -0000

On Jul 25, 2013, at 5:12 PM, Martin Thomson <martin.thomson@gmail.com> wrote:

No comment on leaking information at other layers?  We just improved the RTCP CNAME to remove its leakage (draft-ietf-avtcore-6222bis), as an example of reducing -- rather than expanding -- personally-identifyable super-cookies.  The DTLS handshake is over the same media path improved by 6222bis.

> On 25 July 2013 17:00, Dan Wing <dwing@cisco.com> wrote:
>>> The concern is the first party, who gets the certificate.  Using DH
>>> isn't going to fix that.
>> 
>> Then you're arguing for "endpoint MUST NOT change its certificate".
> 
> Nope.  There are reasons to maintain a stable certificate (being able
> to audit old calls is helped by this, though a log of fingerprints
> used for calls over time might do the same, albeit a little less
> transparently; performance is another reason), just as there are
> reasons to change the certificate (privacy, mainly an ability to keep
> peers from linking calls).
> 
> And yes, generally DH > not DH, but I'm not sure the benefits are
> huge, depending on what your threat model is.  I was just pointing out
> that it doesn't actually help for the cases that I was really
> concerned about.  The women's shelter case in particular.

Thanks for the explanation.  I concur the public/private key needs a way to be destroyed and a new one generated. 

We could envision a more sophisticated mechanism, based on lots of different criteria, where different public/private key pairs are used and where some are destroyed immediately after certain calls.  For example, I might want to use a public/private key pair for all of my work calls and leave that static (as I want that identity to stick with me) but an ephemeral, one-time-only public/private key pair when not engaging in phone calls related to my work, such as calling my psychologist.

-d