Re: [saag] Ubiquitous Encryption: content filtering
Nico Williams <nico@cryptonector.com> Tue, 23 June 2015 19:16 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DFC21A1A9B for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 12:16:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pz9HAVe3BReP for <saag@ietfa.amsl.com>; Tue, 23 Jun 2015 12:16:15 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6CB1A1A96 for <saag@ietf.org>; Tue, 23 Jun 2015 12:16:15 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 3ABDC3600FA; Tue, 23 Jun 2015 12:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=2u1AC95ckxRCzh 0gJ3cONFdE8sg=; b=O/pBNcx7WqAwz2PhWTbZk0j/qNwRuIxSJZKZzBg86s6C6D gKxbbbvq3o9xQKBn59rIltJvOqM47BarlPBp8iCfPqx63EK/vacwGXjTcjvriTb5 G9Gryfe2ueP2VR9c/d6xXpGh8DipvihZshEmD1Ap0PZXbnER9lFKro76cm/g8=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPA id E008F360124; Tue, 23 Jun 2015 12:16:13 -0700 (PDT)
Date: Tue, 23 Jun 2015 14:16:12 -0500
From: Nico Williams <nico@cryptonector.com>
To: Stephen Kent <kent@bbn.com>
Message-ID: <20150623191610.GW6117@localhost>
References: <99DC814A-2B7D-4802-A1C7-399E77F37BD7@gsma.com> <CABtrr-U9kLfq4GQbWSgPN=wCD=Cdi0uQ+bQqXj35j+PFtuE8Pg@mail.gmail.com> <A4BAAB326B17CE40B45830B745F70F108E070156@VOEXM17W.internal.vodafone.com> <55844743.4030300@cs.tcd.ie> <55886F38.4030906@bbn.com> <20150622211207.GM6117@localhost> <5589A9C2.40802@bbn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5589A9C2.40802@bbn.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/hzzl403qsLpsvQDKON7ybDQbgkk>
Cc: saag@ietf.org
Subject: Re: [saag] Ubiquitous Encryption: content filtering
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2015 19:16:16 -0000
On Tue, Jun 23, 2015 at 02:47:30PM -0400, Stephen Kent wrote: > I didn't say that there were god/easy solutions here. I just noted > that, from an engineering (not regulatory) perspective, there were > legitimate concerns that should be noted. OK. > >And anyways, operators already get to do this by simply forcing users to > >use devices from the operators (modified to have MITM CA trust anchors). > >What new technology is being requested here, regardless of whether > >we'd publish it (though the current position as to that is clear: no; > >but the IETF consensus can always change)? > > Not all "operators" have the ability to impose such constraints. In > my work environment the parent company is very much a Windows shop. > But, they have been persuaded that forcing Mac users to adopt their > preferred OS is not a viable solution (i.e., valuable personnel would > likely depart). The differences between a commercial network operator and a corporate network are mostly about scale and policies to be enforced. A corporate network typically has stringent policies about exfiltration of data that a commercial network operator does not. But ignoring those differences, you're right that there are great similarities. As I said, hierarchical PK authentication schemes permit MITMing by authorized entities, which makes me wonder: what else is desired? I can think of some things, such as lighter-weight key exchange and authentication [of authorized proxies to clients], and perhaps making authorized MITMs work with channel binding. But I've asked and no one mentioned any such things. Also, using PKIX has some benefits, such as allowing a proxy to present as close to the real thing to user agents as possible, with only subject public keys and issuers being different (this allows user agents to correctly diagnose issues such as expired certs). Options for your corporate network: - Give the personnel company-owned Macs with the companies trust anchors. The empolyees will have to carry these in addition to any personal devices, and they'll complain, but look, these options are quickly become de rigeur, so if they want to decamp for less secure pastures, *let them*. - Make the personnel use RDP-type remote access solutions and stop caring what they use as a client. Conversely, don't let them use personal devices on corporate networks. Provide a corporate wifi for guests and employee devices where you won't MITM but might still filter and/or log sites visited and so on. Employees can bring their own network where available (e.g., LTE); they'll probably be paying for that regardless. - Make the personnel use SSH/mosh jumpservers, with keystroke and screen logging, and output rate limits (to slow down exfiltration). This is fairly standard fare, but also mostly outside the scope of what IETF participants are likely to care to standardize. Nico --
- [saag] Ubiquitous Encryption: content filtering Natasha Rooney
- Re: [saag] Ubiquitous Encryption: content filteri… Joseph Lorenzo Hall
- Re: [saag] Ubiquitous Encryption: content filteri… Smith, Kevin, (R&D) Vodafone Group
- Re: [saag] Ubiquitous Encryption: content filteri… Joseph Lorenzo Hall
- Re: [saag] Ubiquitous Encryption: content filteri… Stephen Farrell
- Re: [saag] Ubiquitous Encryption: content filteri… Randy Bush
- Re: [saag] Ubiquitous Encryption: content filteri… Stephen Kent
- Re: [saag] Ubiquitous Encryption: content filteri… Nico Williams
- Re: [saag] Ubiquitous Encryption: content filteri… Christian Huitema
- Re: [saag] Ubiquitous Encryption: content filteri… Nico Williams
- Re: [saag] Ubiquitous Encryption: content filteri… Ted Hardie
- Re: [saag] Ubiquitous Encryption: content filteri… Nico Williams
- Re: [saag] Ubiquitous Encryption: content filteri… Randy Bush
- Re: [saag] Ubiquitous Encryption: content filteri… Tom Ritter
- Re: [saag] Ubiquitous Encryption: content filteri… Natasha Rooney
- Re: [saag] Ubiquitous Encryption: content filteri… Kathleen Moriarty
- Re: [saag] Ubiquitous Encryption: content filteri… Yoav Nir
- Re: [saag] Ubiquitous Encryption: content filteri… Kathleen Moriarty
- Re: [saag] Ubiquitous Encryption: content filteri… Natasha Rooney
- Re: [saag] Ubiquitous Encryption: content filteri… Stephen Kent
- Re: [saag] Ubiquitous Encryption: content filteri… Nico Williams
- Re: [saag] Ubiquitous Encryption: content filteri… Phillip Hallam-Baker
- Re: [saag] Ubiquitous Encryption: content filteri… Tom Ritter
- Re: [saag] Ubiquitous Encryption: content filteri… Natasha Rooney
- Re: [saag] Ubiquitous Encryption: content filteri… Kathleen Moriarty