Re: [saag] Ubiquitous Encryption: content filtering

[Nico Williams <nico@cryptonector.com>]

On Tue, Jun 23, 2015 at 02:47:30PM -0400, Stephen Kent wrote:
> I didn't say that there were god/easy solutions here. I just noted
> that, from an engineering (not regulatory) perspective, there were
> legitimate concerns that should be noted.

OK.

> >And anyways, operators already get to do this by simply forcing users to
> >use devices from the operators (modified to have MITM CA trust anchors).
> >What new technology is being requested here, regardless of whether
> >we'd publish it (though the current position as to that is clear: no;
> >but the IETF consensus can always change)?
>
> Not all "operators" have the ability to impose such constraints. In
> my work environment the parent company is very much a Windows shop.
> But, they have been persuaded that forcing Mac users to adopt their
> preferred OS is not a viable solution (i.e., valuable personnel would
> likely depart).

The differences between a commercial network operator and a corporate
network are mostly about scale and policies to be enforced.  A corporate
network typically has stringent policies about exfiltration of data that
a commercial network operator does not.  But ignoring those differences,
you're right that there are great similarities.  As I said, hierarchical
PK authentication schemes permit MITMing by authorized entities, which
makes me wonder: what else is desired?

I can think of some things, such as lighter-weight key exchange and
authentication [of authorized proxies to clients], and perhaps making
authorized MITMs work with channel binding.  But I've asked and no one
mentioned any such things.  Also, using PKIX has some benefits, such as
allowing a proxy to present as close to the real thing to user agents as
possible, with only subject public keys and issuers being different
(this allows user agents to correctly diagnose issues such as expired
certs).

Options for your corporate network:

 - Give the personnel company-owned Macs with the companies trust
   anchors.

   The empolyees will have to carry these in addition to any personal
   devices, and they'll complain, but look, these options are quickly
   become de rigeur, so if they want to decamp for less secure pastures,
   *let them*.

 - Make the personnel use RDP-type remote access solutions and stop
   caring what they use as a client.

   Conversely, don't let them use personal devices on corporate
   networks.  Provide a corporate wifi for guests and employee devices
   where you won't MITM but might still filter and/or log sites visited
   and so on.  Employees can bring their own network where available
   (e.g., LTE); they'll probably be paying for that regardless.

 - Make the personnel use SSH/mosh jumpservers, with keystroke and
   screen logging, and output rate limits (to slow down exfiltration).

This is fairly standard fare, but also mostly outside the scope of what
IETF participants are likely to care to standardize.

Nico
--