IETF Logo Mail Archive

Re: [saag] draft-mm-wg-effect-encrypt-03

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 16 October 2016 18:27 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40BF312940E for <saag@ietfa.amsl.com>; Sun, 16 Oct 2016 11:27:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.732
X-Spam-Level:
X-Spam-Status: No, score=-4.732 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMG7ZoyPwMaZ for <saag@ietfa.amsl.com>; Sun, 16 Oct 2016 11:27:40 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37759126579 for <saag@ietf.org>; Sun, 16 Oct 2016 11:27:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3037BBE3E; Sun, 16 Oct 2016 19:27:38 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9tw2k0aR4oIl; Sun, 16 Oct 2016 19:27:36 +0100 (IST)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 257E4BE39; Sun, 16 Oct 2016 19:27:36 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476642456; bh=WOqKUA49Dc3uOxOInDyEIzCjPM51d+fCsRMIHWc6AOI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=oijUhCGRiffCXGTz+KmlmBrGri41xUfFzgreL+5hrYbGj0N6K0lELSZ3pX+omw7x3 iTDO9qRhqMOl92vW6PuFJwR7cklRvY9XfVyoSExcw9pQRlV6u+6ofiK9mZLJiMpao7 PLYcM5pjfmGzf0JN4ppv+3nnNNjIH32o2J8GndWU=
To: "MORTON, ALFRED C (AL)" <acmorton@att.com>, "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>, "saag@ietf.org" <saag@ietf.org>
References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> <2122275166.97735.1476361683603@mail.yahoo.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> <b1e82376-68b9-f2d5-d06e-225b84b5e9ba@cs.tcd.ie> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A8@NJFPSRVEXG0.research.att.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <71f30bfd-ee8b-942a-4058-6f95b15a2b2e@cs.tcd.ie>
Date: Sun, 16 Oct 2016 19:27:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A8@NJFPSRVEXG0.research.att.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms000601080203040705060302"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/qj57-z8wvxBjiHIGqOnvlltDZIY>
Subject: Re: [saag] draft-mm-wg-effect-encrypt-03
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Oct 2016 18:27:42 -0000

Hi Al,

On 16/10/16 18:19, MORTON, ALFRED C (AL) wrote:
> 
> Clearly, changes in current management practices will be needed,
> and that process could be more efficient with constructive input
> from all involved. Understanding the many gaps is the first step,
> and IMO, what this memo is about.  No arguing for solutions,
> MITM or otherwise.

I agree. Figuring out what solutions are needed for n/w
management given the fact of much more ciphertext is work for
another day and for other documents and WGs.

I think what makes this tricky is that people understandably
tend to mix up current solutions and requirements, e.g. it is
natural enough (but wrong) to think that because I do X today
that that implies doing X is required (and hence language like
"valuable" etc.).

We directly saw that in the recent TLS WG discussion of RSA key
transport, which was kicked off by (I think) the same set of
folks. In the end the TLS WG chairs saw a very clear consensus
to stick with PFS and to not add back RSA key transport to
TLS1.3, despite RSA key transport being a "feature" on which
it appears some enterprise networks still seem to depend for
some forms of "attacking"/deciphering traffic to/from their own
TLS servers.

I think another related thing we need to be careful about here
are claims of utility for features where there is little or no
(at least public) evidence but only assertion. For example, many
of the claims I hear about the effectiveness of scanning outbound
traffic seem dubious to me, so we'll want to try find evidence
to backup claims along those lines too if we want this document
to be of most use later on. (Or to qualify such things as being
e.g. "current practices for which there isn't such good evidence"
or something.)

Buy hey, that's why you get all those big bucks for being such
good document editors/authors I guess:-)

Cheers,
S.

v2.23.0 | Report a Bug | By Email