Re: [Rum] [EXT] RUM security model
Brian Rosen <br@brianrosen.net> Fri, 16 October 2020 00:24 UTC
Return-Path: <br@brianrosen.net>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC0B3A0D36 for <rum@ietfa.amsl.com>; Thu, 15 Oct 2020 17:24:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ng6YQaHTcE1N for <rum@ietfa.amsl.com>; Thu, 15 Oct 2020 17:24:43 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1CD03A0D33 for <rum@ietf.org>; Thu, 15 Oct 2020 17:24:42 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id c15so641511qtc.2 for <rum@ietf.org>; Thu, 15 Oct 2020 17:24:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vckQu6xMJ3+oqAklqe4RrN/nqV0t4JF6vmf6SLGwSxM=; b=InNEXxiJBYUA6k2uXhijzNdaJZK+ziHfeaGx6QI6RBDyE49gpww5J7qTJAwTxYMJcN wBfGtxgNJBpZbmU1S8x1TR1OKkKLCxAiUvsHGMUTmBrzDWNKdPbgDyaRSfTbWoyuthAz LFMWcT2uRLlM34gYdsYUwyZgMDf5xfPH7KcBG6J+rKmqLghIYZvuaZSUhI7tEPfaZs+H yU/4usYF+9la9qPDuC53+2liqx7UpU1Np+BRgkjFjhvc7zJtunuwJgkOTackgBpmXN0E UC3XMf79vqcuDns7g2jx7xkFVozKK2vsHGJbc8+LZK6NmB3DeitC5dV6W+dPj/8MGho6 idEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vckQu6xMJ3+oqAklqe4RrN/nqV0t4JF6vmf6SLGwSxM=; b=AeCE0YRH95cwBesrPmwulfyjya3OORvtkj1y0TKrSSbS4IpVNZ6b8IKAIDOvrH2kdW pOK6OUc5I2MQgPelOK/IIxVv9loAa2fPUrv7MDTRY/H9fauqkb9qQhW5SWDDP4VAzUwT XlwoQ1297l9xui4sOudvKaUjuk31L3+RWqJwdUZAbwtvseRBy27DGSPZsJFpg/0WK1yT Y2PHoPwosVqhIpyEvrUkr9Qn5PLB0Ihpubk0ws9vLJWjcBZb1GY/EQ8BXSXEmSiUKx7W XIh0y1Poo63qWAJpZLNCyYVCi56X2xQsSc3RnpASqF76a+SrQYENUGUhjQe8HxIpNy+3 qUCw==
X-Gm-Message-State: AOAM532j9bFUaOkgPPUnBFwRjeUp+ee4Cf5BRoqlwm9gXhJykMcFi+ua QhS4sxSZZ51Fnqh+HJwPHoCpxtyS/a7osXQaM/gNdA==
X-Google-Smtp-Source: ABdhPJyT8AYeypeNH3QtfSGKJL6r2z/tBRVwhYH3Gb7qCVRR/NGq0mmo8WkyHWSkdrhxZyLvUkPyBrP/D6kbks2qRYE=
X-Received: by 2002:ac8:44bc:: with SMTP id a28mr951625qto.214.1602807881891; Thu, 15 Oct 2020 17:24:41 -0700 (PDT)
MIME-Version: 1.0
References: <4d6ba97f-a83d-3d36-14a9-c6e84dd5b874@alum.mit.edu> <7A11F680-9EA6-4477-9BD8-6A7755AD0054@brianrosen.net> <7fdb95e6-e954-7275-60f7-462cf07eff0e@alum.mit.edu>
In-Reply-To: <7fdb95e6-e954-7275-60f7-462cf07eff0e@alum.mit.edu>
From: Brian Rosen <br@brianrosen.net>
Date: Thu, 15 Oct 2020 20:24:31 -0400
Message-ID: <CAOPrzE1ONDUcGwvcfRhpyu9YM5JJJD92AsLKaeXvXqH4fmNbBw@mail.gmail.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
Cc: rum@ietf.org
Content-Type: multipart/alternative; boundary="000000000000719bc405b1becaff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/DTELP039aRmRIwnmsJOwgQh-5YA>
Subject: Re: [Rum] [EXT] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 00:24:45 -0000
Nope, it just takes a hacker to create a piece of code that patches an app to look like another app. On Thu, Oct 15, 2020 at 8:19 PM Paul Kyzivat <pkyzivat@alum.mit.edu> wrote: > On 10/15/20 7:52 PM, Brian Rosen wrote: > > I don’t think even that would work because there isn’t any way to know > that the app that was approved is the app that is being used. > > Yes, I guess you are right. But at least it would require the end user > to enter into a conspiracy with the app developers, and be able to get > the credential out of one app and into another. > > Thanks, > Paul > > > What systems like iOS does is rely on the fact that you can’t download > and run an app that hasn’t been vetted. The code is signed and the > signature is checked every time the app starts. We don’t have an > environment like that. We can’t control what is downloaded and we can’t > check signatures. > > > I don’t think there is a reliable way to do this. If someone has an > idea, please explain it, but we can’t be in a “you do something” position > without a clue as to how. > > > > Now, if the app was an iOS app, then the right thing happens. There are > few other systems that are wired down like that. Android, for example, > allows you to download and run from arbitrary sites if the device is > configured to allow that. > > > > Brian > > > > > >> On Oct 15, 2020, at 6:30 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> > wrote: > >> > >> Eugene, > >> > >>> On 10/15/20 3:30 PM, Eugene Christensen wrote: > >>> Brian, > >>> Admittedly I do not fully understand certificates and authentication > but would client certificates or mutual authentication with a shared secret > work here? > >> > >> I'm also not a security expert. To my understanding, the key problem is > that you want a proof that an implementation has passed some sort of test. > That is more or less equivalent to having a special certification authority > that is able to assign a certificate based on the passing of a test. But > for the system to work that certificate needs to be bound to the entity > (hw/sw) that passed the test. It can't be possible to transfer that > certificate to a different device. > >> > >> A possible alternative would be for each provider to have its own test > service. When a user gets a new device/application, as part of the initial > registration of their device with the provider, this test would be run. > Then the result of that would be granting of credentials for that device to > access that provider's system. > >> > >> Thanks, > >> Paul > >> > >>> Thank you. > >>> Eugene > >>> *CONFIDENTIALITY NOTICE.*This e-mail transmission, and any documents, > files or previous e-mail messages attached to it, may contain confidential > and proprietary information. If you are not the intended recipient, or a > person responsible for delivering it to the intended recipient, you are > hereby notified that any disclosure, copying, distribution or use of any of > the information contained in or attached to this message is STRICTLY > PROHIBITED. If you have received this transmission in error, please > immediately notify me by reply e-mail at echristensen@sorenson.com > <mailto:echristensen@sorenson.com>or by telephone at +1 (801) 287-9419, > and destroy the original transmission and its attachments without reading > them or saving them to disk. > >>> *From:* Brian Rosen <br@brianrosen.net> > >>> *Sent:* Wednesday, September 30, 2020 5:47 PM > >>> *To:* Eugene Christensen <echristensen@sorenson.com> > >>> *Cc:* rum@ietf.org > >>> *Subject:* Re: [Rum] [EXT] RUM security model > >>> [EXTERNAL] > >>> I think we understand why you want it. What we don’t understand is > what mechanism would provide it. I am generally aware of this class of > problem and I’m not aware of a solution that will work. So what we need is > a suggested mechanism that provides the assurance you want that is > technically sound. > >>> Brian > >>> On Wed, Sep 30, 2020 at 6:30 PM Eugene Christensen < > echristensen@sorenson.com <mailto:echristensen@sorenson.com>> wrote: > >>> Thanks for considering how we might implement this security > >>> mechanism. May I add my voice that it is essential that we find an > >>> option for providing this desired security, whatever it is. It > >>> could be detrimental to the VRS providers to have UAs out there, > >>> with the ability to register with VRS providers without first being > >>> fully vetted. It is our practice anytime we make updates to our > UAs > >>> to test how they work with our UAS before we ever release the new > UA > >>> software into our production environment. We only want UAs > >>> registering that have undergone this rigorous testing with our > >>> systems and then only with users which we have awareness of. > >>> Thanks, > >>> Eugene Christensen > >>> CONFIDENTIALITY NOTICE. This e-mail transmission, and any > documents, > >>> files or previous e-mail messages attached to it, may contain > >>> confidential and proprietary information. If you are not the > >>> intended recipient, or a person responsible for delivering it to > the > >>> intended recipient, you are hereby notified that any disclosure, > >>> copying, distribution or use of any of the information contained in > >>> or attached to this message is STRICTLY PROHIBITED. If you have > >>> received this transmission in error, please immediately notify me > by > >>> reply e-mail at echristensen@sorenson.com > >>> <mailto:echristensen@sorenson.com> or by telephone at +1 (801) > >>> 287-9419, and destroy the original transmission and its attachments > >>> without reading them or saving them to disk. > >>> -- Rum mailing list > >>> Rum@ietf.org <mailto:Rum@ietf.org> > >>> https://www.ietf.org/mailman/listinfo/rum > >>> <https://www.ietf.org/mailman/listinfo/rum> > >> > >> -- > >> Rum mailing list > >> Rum@ietf.org > >> https://www.ietf.org/mailman/listinfo/rum > >
- [Rum] I-D Action: draft-ietf-rum-rue-03.txt internet-drafts
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt Brian Rosen
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt Paul Kyzivat
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt James Hamlin
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt Paul Kyzivat
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt James Hamlin
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt Brian Rosen
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt Paul Kyzivat
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt Paul Kyzivat
- [Rum] RUM security model Paul Kyzivat
- Re: [Rum] RUM security model Brian Rosen
- Re: [Rum] RUM security model Paul Kyzivat
- Re: [Rum] RUM security model Paul Kyzivat
- Re: [Rum] RUM security model Olle E. Johansson
- Re: [Rum] [EXT] RUM security model Jim Malloy
- Re: [Rum] RUM security model Brian Rosen
- Re: [Rum] [EXT] RUM security model Paul Kyzivat
- Re: [Rum] [EXT] RUM security model Jim Malloy
- Re: [Rum] [EXT] RUM security model Paul Kyzivat
- Re: [Rum] [EXT] RUM security model Eugene Christensen
- Re: [Rum] [EXT] RUM security model Brian Rosen
- Re: [Rum] I-D Action: draft-ietf-rum-rue-03.txt Brian Rosen
- Re: [Rum] [EXT] RUM security model Eugene Christensen
- Re: [Rum] [EXT] RUM security model Paul Kyzivat
- Re: [Rum] [EXT] RUM security model Brian Rosen
- Re: [Rum] [EXT] RUM security model Paul Kyzivat
- Re: [Rum] [EXT] RUM security model Brian Rosen
- Re: [Rum] [EXT] RUM security model Asveren, Tolga
- Re: [Rum] [EXT] RUM security model Paul Kyzivat
- Re: [Rum] [EXT] RUM security model Brian Rosen
- Re: [Rum] [EXT] RUM security model Paul Kyzivat
- Re: [Rum] [EXT] RUM security model Eugene Christensen
- Re: [Rum] [EXT] RUM security model Brian Rosen
- Re: [Rum] [EXT] RUM security model Olle E. Johansson
- Re: [Rum] [EXT] RUM security model Paul Kyzivat
- Re: [Rum] [EXT] RUM security model Eugene Christensen
- Re: [Rum] [EXT] RUM security model Paul Kyzivat
- Re: [Rum] [EXT] RUM security model Brian Rosen
- Re: [Rum] [EXT] RUM security model Eugene Christensen
- Re: [Rum] [EXT] RUM security model Brian Rosen