IETF Logo Mail Archive

Re: [Rum] [EXT] RUM security model

"Asveren, Tolga" <tasveren@rbbn.com> Fri, 16 October 2020 11:13 UTC

Return-Path: <tasveren@rbbn.com>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C0373A0EA7 for <rum@ietfa.amsl.com>; Fri, 16 Oct 2020 04:13:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rbbn.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JcfAIuD1KFz for <rum@ietfa.amsl.com>; Fri, 16 Oct 2020 04:13:24 -0700 (PDT)
Received: from us-smtp-delivery-181.mimecast.com (us-smtp-delivery-181.mimecast.com [216.205.24.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9987D3A0EA8 for <rum@ietf.org>; Fri, 16 Oct 2020 04:13:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rbbn.com; s=mimecast20180816; t=1602846803; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=4bDLa5r0YdcQ2KF+/ECqG4mmv8EV6D1BX3RYnfn/vjc=; b=kEppe2mb82KsiEOE0qJ19DqxK993EiQafMlCn1CoeiPC4xg5P6ytFLUH3fY4tFVtwH+W6L QaDsO16doTD6alBnhcuu2rVvaBehBwwGsGC3GQciEx0/mX4JUt1MAlogSBK1JGlvgTZtUx bTi4OJapBNrH+tUZt2jfNzgiK5PutOw=
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11lp2175.outbound.protection.outlook.com [104.47.56.175]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-229-fTT2bFhlMGC8MgJV9AHBug-1; Fri, 16 Oct 2020 07:13:20 -0400
Received: from BN7PR03MB3827.namprd03.prod.outlook.com (2603:10b6:408:23::13) by BN7PR03MB4324.namprd03.prod.outlook.com (2603:10b6:408:d::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.21; Fri, 16 Oct 2020 11:13:18 +0000
Received: from BN7PR03MB3827.namprd03.prod.outlook.com ([fe80::80a3:233e:f637:82ce]) by BN7PR03MB3827.namprd03.prod.outlook.com ([fe80::80a3:233e:f637:82ce%4]) with mapi id 15.20.3477.021; Fri, 16 Oct 2020 11:13:17 +0000
From: "Asveren, Tolga" <tasveren@rbbn.com>
To: Brian Rosen <br@brianrosen.net>, Paul Kyzivat <pkyzivat@alum.mit.edu>
CC: "rum@ietf.org" <rum@ietf.org>
Thread-Topic: [Rum] [EXT] RUM security model
Thread-Index: AQHWlnxNAnUfnXXxW02AjUdBdxV5TKmBxBhggAAW2wCAF0rLoIAAMpaAgAAXOoCAAAeJgIAAAV6AgAC02rA=
Date: Fri, 16 Oct 2020 11:13:17 +0000
Message-ID: <BN7PR03MB38274F0EC8862307B0C02284A5030@BN7PR03MB3827.namprd03.prod.outlook.com>
References: <4d6ba97f-a83d-3d36-14a9-c6e84dd5b874@alum.mit.edu> <7A11F680-9EA6-4477-9BD8-6A7755AD0054@brianrosen.net> <7fdb95e6-e954-7275-60f7-462cf07eff0e@alum.mit.edu> <CAOPrzE1ONDUcGwvcfRhpyu9YM5JJJD92AsLKaeXvXqH4fmNbBw@mail.gmail.com>
In-Reply-To: <CAOPrzE1ONDUcGwvcfRhpyu9YM5JJJD92AsLKaeXvXqH4fmNbBw@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [73.80.74.66]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 97782a19-a1b1-4518-8610-08d871c47bbd
x-ms-traffictypediagnostic: BN7PR03MB4324:
x-microsoft-antispam-prvs: <BN7PR03MB4324267D6F8D2EFE0763ECE1A5030@BN7PR03MB4324.namprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: Ei6VJUTV4Ryj4tg2X6T2pBok+hg8f90Uo9Fkfn7+OaxCqYAwXzG1FtKRn683FKwDwX7mMFxp42K9KpOAhwlVjsxj+o6Ubnm47GJjWpF/fgjZoCw9r/ql7OAgXqPkPt2NSVmB4cq04mNadpmtQsLAFwgmXivRERU3dusLiZY93cv4hbvG46Tgba7sKzkNoxCUCAvGO3UZqbQSiJPphgaHZ0wtnpaGXISxwiOE9F6YnQgpRvIa3b8iCv7LhcFN+My145zTKQz1UgDyemGZBEmJis2EtsLlBn9LNX+XEZwGNMeyyT+u2BeGON1uFqqt9200/ms35Q7jyFDLJZerRKc2mBRtTjixcsuyAmIh+Dyzo9BiaIYmcs2f4N8whwRjGcwee0K5cgWUVXRc9PGoxeQEhQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR03MB3827.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(136003)(396003)(346002)(39860400002)(2906002)(76116006)(55016002)(5660300002)(6506007)(4326008)(33656002)(53546011)(86362001)(110136005)(66946007)(26005)(316002)(186003)(71200400001)(15650500001)(66476007)(66556008)(64756008)(66446008)(83380400001)(52536014)(7696005)(966005)(478600001)(8936002)(8676002)(166002)(9686003); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata: SdQt3hSFvJmgbakAcAQh34BMYtfBAZjmXDH9IJI5QnubOm8aBda/1ExmnbK7zxmicMRFsp5G2nys1P/TTPhajlG9YFL+VYzDDOKhsxicMJQCjqbA7lEEVUkv8xVgU/HMLBVfg1s5wqCnrjFqnj5214n3a2m348xOcXDm6YR24hfpiqQ2vOXUAjbTZJhWF+3a2HKRuoYjiH69XhGHTlmL/PBD0eWSrVQoV10nPu+oG1rNsm4N/3XKE/4t5xDVoWpPvyQZtSO0QBKPti4k4q8TRDUamPypEOwt3UlthQ5l5M01sRc2FU0ziiWUgVZo8qB9kEDtzn/0dBCLMLWMjeoQErgNAQuYdkAYfABF7xe8LIz9Mirw0AlKieTa88MMMAyR95ghlYhvs2zHaoO29bq/jFe7oXBiuZuiwnBXwtNHODhp11PC1RgEOS12p4mjR4I6rTYmSx5FlzbhalBcISGNjedT18EPkpHhNYy0dQJhU35dA+NYmQK7EWMDSn3QbwoiLleSAhaS22J1ySmyoSHOVBmLtXJfpImP9C13WvicxgFpbvo0/5rt2Xb3OWKvso8Q91S1szsE7nbVShEgL8ojG56Pm3YeE0kRRk56jAKq7+pBsgucBFdOqHHS7rEQMqhEj/+9IxGlesNP53jmDgkrCg==
x-ms-exchange-transport-forked: True
x-mc-unique: fTT2bFhlMGC8MgJV9AHBug-1
x-originatororg: rbbn.com
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: BN7PR03MB3827.namprd03.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: 97782a19-a1b1-4518-8610-08d871c47bbd
x-ms-exchange-crosstenant-originalarrivaltime: 16 Oct 2020 11:13:17.4143 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 29a671dc-ed7e-4a54-b1e5-8da1eb495dc3
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: cyDUgg4eJf68E2TmAv8+zy/yAYyvMUiFNxViGVsF84+x1KXas8Rj9jEJZeOqgmv7zpSmOunEvjhjiFEBhJXwGg==
x-ms-exchange-transport-crosstenantheadersstamped: BN7PR03MB4324
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA81A106 smtp.mailfrom=tasveren@rbbn.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: rbbn.com
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_BN7PR03MB38274F0EC8862307B0C02284A5030BN7PR03MB3827namp_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/6-fcTH2ggDC3kn2NVX3g1OilcAM>
Subject: Re: [Rum] [EXT] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 11:13:27 -0000

A framework based on TPM could help but I am not sure whether mandating that is the right approach for this document. It may be sufficient to mention about the threat/possible remedy in the Security Considerations section.

Thanks,
Tolga

From: Rum <rum-bounces@ietf.org> On Behalf Of Brian Rosen
Sent: Thursday, October 15, 2020 8:25 PM
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
Cc: rum@ietf.org
Subject: Re: [Rum] [EXT] RUM security model

________________________________
NOTICE: This email was received from an EXTERNAL sender
________________________________

Nope, it just takes a hacker to create a piece of code that patches an app to look like another app.

On Thu, Oct 15, 2020 at 8:19 PM Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>> wrote:
On 10/15/20 7:52 PM, Brian Rosen wrote:
> I don’t think even that would work because there isn’t any way to know that the app that was approved is the app that is being used.

Yes, I guess you are right. But at least it would require the end user
to enter into a conspiracy with the app developers, and be able to get
the credential out of one app and into another.

        Thanks,
        Paul

> What systems like iOS does is rely on the fact that you can’t download and run an app that hasn’t been vetted. The code is signed and the signature is checked every time the app starts. We don’t have an environment like that.  We can’t control what is downloaded and we can’t check signatures.

> I don’t think there is a reliable way to do this. If someone has an idea, please explain it, but we can’t be in a “you do something” position without a clue as to how.
>
> Now, if the app was an iOS app, then the right thing happens. There are few other systems that are wired down like that. Android, for example, allows you to download and run from arbitrary sites if the device is configured to allow that.
>
> Brian
>
>
>> On Oct 15, 2020, at 6:30 PM, Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>> wrote:
>>
>> Eugene,
>>
>>> On 10/15/20 3:30 PM, Eugene Christensen wrote:
>>> Brian,
>>> Admittedly I do not fully understand certificates and authentication but would client certificates or mutual authentication with a shared secret work here?
>>
>> I'm also not a security expert. To my understanding, the key problem is that you want a proof that an implementation has passed some sort of test. That is more or less equivalent to having a special certification authority that is able to assign a certificate based on the passing of a test. But for the system to work that certificate needs to be bound to the entity (hw/sw) that passed the test. It can't be possible to transfer that certificate to a different device.
>>
>> A possible alternative would be for each provider to have its own test service. When a user gets a new device/application, as part of the initial registration of their device with the provider, this test would be run. Then the result of that would be granting of credentials for that device to access that provider's system.
>>
>>     Thanks,
>>     Paul
>>
>>> Thank you.
>>> Eugene
>>> *CONFIDENTIALITY NOTICE.*This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential and proprietary information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail at echristensen@sorenson.com<mailto:echristensen@sorenson.com> <mailto:echristensen@sorenson.com<mailto:echristensen@sorenson.com>>or by telephone at +1 (801) 287-9419, and destroy the original transmission and its attachments without reading them or saving them to disk.
>>> *From:* Brian Rosen <br@brianrosen.net<mailto:br@brianrosen.net>>
>>> *Sent:* Wednesday, September 30, 2020 5:47 PM
>>> *To:* Eugene Christensen <echristensen@sorenson.com<mailto:echristensen@sorenson.com>>
>>> *Cc:* rum@ietf.org<mailto:rum@ietf.org>
>>> *Subject:* Re: [Rum] [EXT] RUM security model
>>> [EXTERNAL]
>>> I think we understand why you want it. What we don’t understand is what mechanism would provide it. I am generally aware of this class of problem and I’m not aware of a solution that will work.  So what we need is a suggested mechanism that provides the assurance you want that is technically sound.
>>> Brian
>>> On Wed, Sep 30, 2020 at 6:30 PM Eugene Christensen <echristensen@sorenson.com<mailto:echristensen@sorenson.com> <mailto:echristensen@sorenson.com<mailto:echristensen@sorenson.com>>> wrote:
>>>     Thanks for considering how we might implement this security
>>>     mechanism.  May I add my voice that it is essential that we find an
>>>     option for providing this desired security, whatever it is.  It
>>>     could be detrimental to the VRS providers to have UAs out there,
>>>     with the ability to register with VRS providers without first being
>>>     fully vetted.  It is our practice anytime we make updates to our UAs
>>>     to test how they work with our UAS before we ever release the new UA
>>>     software into our production environment.  We only want UAs
>>>     registering that have undergone this rigorous testing with our
>>>     systems and then only with users which we have awareness of.
>>>     Thanks,
>>>     Eugene Christensen
>>>     CONFIDENTIALITY NOTICE. This e-mail transmission, and any documents,
>>>     files or previous e-mail messages attached to it, may contain
>>>     confidential and proprietary information. If you are not the
>>>     intended recipient, or a person responsible for delivering it to the
>>>     intended recipient, you are hereby notified that any disclosure,
>>>     copying, distribution or use of any of the information contained in
>>>     or attached to this message is STRICTLY PROHIBITED. If you have
>>>     received this transmission in error, please immediately notify me by
>>>     reply e-mail at echristensen@sorenson.com<mailto:echristensen@sorenson.com>
>>>     <mailto:echristensen@sorenson.com<mailto:echristensen@sorenson.com>> or by telephone at +1 (801)
>>>     287-9419, and destroy the original transmission and its attachments
>>>     without reading them or saving them to disk.
>>>     --     Rum mailing list
>>>     Rum@ietf.org<mailto:Rum@ietf.org> <mailto:Rum@ietf.org<mailto:Rum@ietf.org>>
>>>     https://www.ietf.org/mailman/listinfo/rum<https://www.ietf.org/mailman/listinfo/rum>
>>>     <https://www.ietf.org/mailman/listinfo/rum<https://www.ietf.org/mailman/listinfo/rum>>
>>
>> --
>> Rum mailing list
>> Rum@ietf.org<mailto:Rum@ietf.org>
>> https://www.ietf.org/mailman/listinfo/rum<https://www.ietf.org/mailman/listinfo/rum>


-----------------------------------------------------------------------------------------------------------------------
Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. that
is confidential and/or proprietary for the sole use of the intended recipient.  Any review, disclosure, reliance or
distribution by others or forwarding without express permission is strictly prohibited.  If you are not the intended
recipient, please notify the sender immediately and then delete all copies, including any attachments.
-----------------------------------------------------------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email