IETF Logo Mail Archive

Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

Thomas Hardjono <hardjono@mit.edu> Thu, 14 March 2024 12:21 UTC

Return-Path: <hardjono@mit.edu>
X-Original-To: sat@ietfa.amsl.com
Delivered-To: sat@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16D98C14F6AF for <sat@ietfa.amsl.com>; Thu, 14 Mar 2024 05:21:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sgS-WBpG2yjQ for <sat@ietfa.amsl.com>; Thu, 14 Mar 2024 05:21:14 -0700 (PDT)
Received: from NAM02-BN1-obe.outbound.protection.outlook.com (mail-bn1nam02on2100.outbound.protection.outlook.com [40.107.212.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF991C15792A for <sat@ietf.org>; Thu, 14 Mar 2024 05:21:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QSnyW6cO/f5cyIXxGEHA4pK0xUL2fvkah7dc2omQ7LuoGYKZtO8t+tTcPdfLpt4lujQVrJ5nZchphxW9xeeby5EGocUV/NM5b03wMPwee8hBEmMNlKqzvhk+QhC4tR49qoJfi/N8Kp8okYZC+AXoxlWt85GqaGaRS6rIbaNHdy4F34fqCY5/o11CVQTFGJITY2pae0QZdhWBidbqQ+uWOJKuZaljfbF0Aa3XQER+2eAo6qwKyQa9y6KW+4EeCEYT+W3WNMixP4hXctG7thUTt2Hkm/q3xr/zGD26mQ9XZVS7kFovS+94soOfuo65cSB/hHWbrfPU8355/TZb/MobzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QArJvV1IIRpesiNbIuVTAZjbgU03d8ks5//8fWk0mLc=; b=I7phu3/pntzugldveUqZAKYORW4UezWD7FU8Poy5WpT3VEYonuUnuQfrV4KnhkUnan+Uc72Q0ze8nbbRvU82PgYRfxd9n+5QlcI2LQcoJDuBUr6KjjEFrSE8LuqN0FTZsNY8FwECVXZIo3KTQ7IUog0PTfeROxpisJV9g8TJXrn3X5BaGtUTiAYcujeL/tICsHswVwz2+mRyS1nb3KCoekRzz4VbODHaayuU23Y89z+VzwGhscjr7HWatn3kODQ/BJ41cTo+29Oj9n+FBmQXDp/VmYuzDLchz5Akl+2F8tBIfbYYi7gOjWGcAE5X/vP7otnfJOWXrU3BI1pp151s6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QArJvV1IIRpesiNbIuVTAZjbgU03d8ks5//8fWk0mLc=; b=a7lBulpW0kSdeaCCfqP+dsnUKXuoOORjroxcU8g0XzgxZjSAOWUnfKoTVvMGsZDTJLsJLfnxovlx3Yn7uft5TYc8R3sIGDPfs9rdI7nBmmIAB51G3T0KR4Z7JgDURHE+RkIHfezrhzGVAGBF+sPrlN6f2LgsfNZGLus/e3cdSeI=
Received: from DM6PR01MB4395.prod.exchangelabs.com (2603:10b6:5:7a::16) by MW4PR01MB6145.prod.exchangelabs.com (2603:10b6:303:70::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.36; Thu, 14 Mar 2024 12:21:10 +0000
Received: from DM6PR01MB4395.prod.exchangelabs.com ([fe80::e4f9:514d:5169:6582]) by DM6PR01MB4395.prod.exchangelabs.com ([fe80::e4f9:514d:5169:6582%5]) with mapi id 15.20.7386.017; Thu, 14 Mar 2024 12:21:10 +0000
From: Thomas Hardjono <hardjono@mit.edu>
To: "ladler2@bellatlantic.net" <ladler2@bellatlantic.net>, "sat@ietf.org" <sat@ietf.org>, Thomas Hardjono <hardjono@mit.edu>
Thread-Topic: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
Thread-Index: AQHacitFHn4v6HjvmEq+STkh5S/wTLE0TICAgAAV3oCAABCZVIAAB4KAgAApJhuAAWGogIABJdnu
Date: Thu, 14 Mar 2024 12:21:10 +0000
Message-ID: <DM6PR01MB4395A94A70B965BF62C4E3CDCB292@DM6PR01MB4395.prod.exchangelabs.com>
References: <yblbk7nh517.fsf@wx.hardakers.net> <017d01da7498$6c7d8f70$4578ae50$@bellatlantic.net> <SJ0PR15MB513247E0DC4DBCC3EA3AB0DAB82B2@SJ0PR15MB5132.namprd15.prod.outlook.com> <DM6PR01MB439526AD9219E9F0D2806936CB2B2@DM6PR01MB4395.prod.exchangelabs.com> <SJ0PR15MB513284153249CD8875399553B82B2@SJ0PR15MB5132.namprd15.prod.outlook.com> <DM6PR01MB43950A5955A657343A6D4FF9CB2B2@DM6PR01MB4395.prod.exchangelabs.com> <009201da7574$d016eb30$7044c190$@bellatlantic.net>
In-Reply-To: <009201da7574$d016eb30$7044c190$@bellatlantic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4395:EE_|MW4PR01MB6145:EE_
x-ms-office365-filtering-correlation-id: a5bee5a6-9eda-4bb4-e78d-08dc44213b66
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: A2hKB1DfRiMTurZ7KZWrDb8VHYR6P1zdmG+aBTrXk5/FM4UWCq5YBRf4YGtO5VtuGtbK39zQHJjHa7LG4OVVsDD9fxsVfQ+MTW7Oxbxl3jdNr75ASK5cUjJYPgB0MXraX9psW9ROPvTBYy75u3LxKaY2BsKpQBi5XCsBw+GmNOQaX44YDBQ/PAtad/OhdPRqu/onJYpVQCEjCTNALwVB2Z6ay6BL5McZkTxyrSwLhDzoFLaNKi/5Y2J3gmIiq+F+KDEMrAYhP+CUI26paZHQhPLPB2NCYr0fPYjICSV3Szh3R1ExO9pexS1wR2wiIQIw5Xce/bLOrFUFD+tWIrJWqXVJHjVfnIYOpNxZ6SvTK6tuJmWePCLFyphSgIEZX6sgALrsp1etWrznwE3Su/5ZJC0I6z/9IuBhJK/AfCbzdisba3RwGpuMC8Zro1qRA3tQqZ5j8XoEB0vYSOM9eAyu3TKI7A2f6+sVNahlfboSFXi5DCMmHsaD62nHjt2v2WQTDi7HGGzSO5XOqZjC53tvCBS1kXmph8QRzbdFECyEbyIfzcdhybcIfVADHot6d2r+LPQdy0kYh9eG0qOUHmNjt7FybFU8HfTMUwzXxlAvx4bagGWRsviBkkvleeRB2lGIKYsSMX3oUbf8T3DQdFyWgnAF7pomoImvXVbn+E9dCMQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4395.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(376005)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ELrfUdwlqT9LuAwxc1FJ7kSefa1vwKWsPN5RKzwLukp8HMMisl/XXbupTof93KUkXJC1qYyBX7hjzcKYf0znBst3y0WRoMZZ9SiqR7eCHjjmJiCaD9hCxVxqiinhO6/fKkA6QTb9/ju2tZVt+Gm478/0J9/UGjJfjygPjeyaKVX7XbZLikQJN3iDWZK9Xa+iWl/Yvk478C7ZupgA62f1stYsHGPLjpQfSo9Z6OfbjtJbp5d+cetqpW4n/uGcBq0NdTgFGR7NMmQG8rlfjXe8mk8I5McGEAIPcwBiWc4fliwuVerNvTBxW+duAz52KswluQgcByU1Kv2aYllXYN3t5XGy+r/Vief0ZxanKpraeYzVplncMFZuTWxkk43rAn43X3IDn3JaJcPYlSlzd6B5SMnU7eGYGWgNUTlChgJruNV6pYF+viQqASRQbgUprCLmxev4h3esbLUoieONMk/UF7+V6Adcj/CHAvCUHpw2W2zRCfSYCU7Yu4FvkdcRd8u9ZtfIXLu2zesbbHxUYNb/Ew2byKCuEYBgiCExJ+WtgoURsMj9MhRSi50c4Hu5r48wEoIuwM3JGP+bBoBt8UnIaINbvmc6GH1cHE0hrUajBoNUhga3PNzmliafyhDXXmDKyNAbUj/f35XRfLU9FYDrxnzoVC42fmbX3ufJIb45e5aRvHq5cUWPiZbDnOK/0Dqy77/Bxcm2aOll6dk06gWwKVjL12McaYh7pDG8ySJADTq4al1UaPY3UtHQMvH+UfO2GNlOcjDug1Sj56WZOxmhonRebR9bXSio1DsiUJuWOFupUcd4mhXUM2xawNOneqdXxeTWFZXYLHBHtPRGeu0yEyRMelnnhhO5UB47GAwzBPVD6ADhqS/v4pbYoz7i0qGpi7sFZGhhRi8PcyGIlw4Z2pQPG8BR6DkbHbXb+zCG6eluZyYHJO62OYrZqn6fyurlxIM+Qy+ABFD72kiEjvGbIeO9NSOFGMbemJ5+qqNIMygpdDNmlM7eKvmcXSfzO+19eH+zNjAg/9Gf8IMofaKwruNXryVh1dXRTFwmuyQorMRbWSRPFsUC3tVVMmoikDzGt4jWirc3s3iH2cHAI2HtY3BUmqwxc5pXuQsBZ6G3z7PtuoQIbK4nSCRr4TwKq4pEZQbplGRHxEPY/is2iUukrNbjBp2rKNMsceptu7ykCImw2fiJQzJHfnaVUwcqKeHi6ohgKntCzmOR3ANgiTRMyOUtUx+WMHd6Bot2MoIFkIRmyDY0jQaUY1GOLqIJn5rlKUVU0Y7FJCiKoBksfjuSXxyeRLN41NXiZ5UEuRU++m6QPe1abFmMCbJ62mEW0eYnKmDy8xelbaPa+XVnkl0RBg4wob/ORjzdqPV7+W/CF12M2FcikaDE2rnwlKYqltISAvCjeu3WPUUX8ZzE7Tyhqd+c1k+fbPRlF8xz2PtrhOA/+6gfVuDRGXTmoJhTA3zXWTOETZM7n9miqIN4Lg4CQXfFoejq/V2nde2Go5KetKp6IYf6Mj1cCmNgqyDcqWy1Nn/oNWfHBY7kw/nzSid2QBx53f0KY82GYofJD8LF4trPKHhY/+kDAIN0bo3JSxVfp/qkH0UGbRQr3NzbZt2BmAXUuHaa2D6H+/WzofivLSMlCSim5B0lJNEsBR8KOtoA
Content-Type: multipart/alternative; boundary="_000_DM6PR01MB4395A94A70B965BF62C4E3CDCB292DM6PR01MB4395prod_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4395.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a5bee5a6-9eda-4bb4-e78d-08dc44213b66
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2024 12:21:10.0835 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JnuqGtzhDe1Lk9i9twN+Fa1uKP+5w0pvFGFU2oaT0lIu7HRvF+tVNfzt/duGJmczOHTkBGfGEIxEBxNrRc4EEg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR01MB6145
Archived-At: <https://mailarchive.ietf.org/arch/msg/sat/BjgxdSIRSq4I-bqw0FHDCXySyf4>
Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
X-BeenThere: sat@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "The purpose of this mailing-list is to discuss the secure asset transfer \(SAT\) protocol and related aspects." <sat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sat>, <mailto:sat-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sat/>
List-Post: <mailto:sat@ietf.org>
List-Help: <mailto:sat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sat>, <mailto:sat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 12:21:18 -0000

Thanks David,

These are great inputs.


>>> I think the appendix Thomas has suggested below belongs
>>> in a threat model document.
>>> I don’t think RFC 5246 (TLS 1.2) is a good model.
>>> TLS is essentially a transport protocol not
>>> an application protocol.


I definitely agree we will need these facilities to make the gateway useful. I think in the past couple of years the group has discussed the need for these gateway-related facilities (services).

However, right now we are constrained by the scope of the Charter which limits us to focus on the transfer flows (burn-mint) with ACID properties. Many things need to occur in Stage-0, which is out of scope currently.

If/when we expand the Charter, we should include a threats model document IMHO.


>>> Is a query facility necessary for one gateway to verify
>>> that the other gateway has really performed critical functions?
>>> Example:  Did Gateway 1 really extinguish the asset
>>> when it was supposed to?

I believe this this is the facility that Rama is developing in the Views draft. In fact, this question (did the burn occur) should be answerable by any gateway fronting a network NW1 (even if that gateway was not originally involved in the transfer).


>>> Is a facility needed so that each Gateway can do its own authentication
>>> of the user signed on to the other Gateway?


This is part of Stage-0. In practice, gateways would need to call APIs of external identity service providers (IdP) to validate the identity of the user and the attributes of the users (e.g., are the users on the OFAC Sanctions list). This could be another new draft about how a Gateway could interact with an Identity Registry/Issuer (ala W3C Verified Credentials data model).


Best
--thomas



From: sat <sat-bounces@ietf.org> on behalf of ladler2@bellatlantic.net <ladler2@bellatlantic.net>
Date: Wednesday, March 13, 2024 at 2:32 PM
To: sat@ietf.org <sat@ietf.org>
Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
Hi:
   I think the appendix Thomas has suggested below  belongs in a threat model document.
I don’t think RFC 5246 (TLS 1.2) is a good model.  TLS is essentially a transport protocol not an application protocol.

I think the architecture document should contain additional systems features such as:


  1.  Is a query facility necessary for one gateway to verify that the other gateway has really performed critical functions?
Example:  Did Gateway 1 really extinguish the asset when it was supposed to?


  1.  Is a facility needed so that each Gateway can  do its own authentication of  the user signed on to the other Gateway?


I am sure there are other facilities necessary to provide security to this process.

David Millman

From: sat <sat-bounces@ietf.org> On Behalf Of Thomas Hardjono
Sent: Tuesday, March 12, 2024 5:32 PM
To: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com>; ladler2@bellatlantic.net; sat@ietf.org; Thomas Hardjono <hardjono@mit.edu>
Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

Folks,

How’s about this text for an Appendix in the SATP-Architecture.  I’m thinking we should make each paragraph short, kind of like Appendix F in RFC5246.

Please feel free to suggest additional bullet points on attack points in the SATP protocol run.

--- --- --- ---
Appendix A: Security Analysis

The SAT protocol utilizes a TLS1.2 (TLS1.3) secure channel that must be establishes between the sender gateway (G1) and the receiver gateway (G2). The two gateways must first establish this secure channel in Stage-0 before they can proceed to execute the SAT protocol. This includes both gateways verifying all the relevant parameters required for their TLS1.2 session (e.g. correct TLS endpoints, certificate validation, identity validation, etc.).

Assuming the two gateways have established the secure channel and have proceeded to commence the SAT protocol, there are a number of possible attacks points within the SAT protocol run that may occur if one (or both) of the gateways are dishonest. Alternatively, an attacker may target one (or both) gateways by disrupting the message exchange between gateways G1 and G2.

(a) Multiple intentional aborts by the sender gateway G1:

A dishonest sender gateway G1 may purposely fail to continue the protocol run at certain crucial points.  One such crucial point is in Stage-3, where the gateway G1 is expected to transmit the Commit-Final Assertion message (3.5). If the gateway G1 intentionally fails to transmit this message, gateway G2 may conclude that the message has been lost and may proceed to reverse the temporary hold it has previously created (temporary asset mint in message 3.2).  Although this dishonest behavior by G1 does not cause asset damage to G2, it may exhaust computing resources at gateway G2. If network NW2 incurs transaction fees, such a reversal may be costly for gateway G2.


(b) Multiple intentional aborts by the receiver gateway G2:

In a similar manner, a receiver gateway G2 may also purposely fail to continue the protocol run at certain crucial points. One such point is in the Commit-Ready message (3.3) that it should transmit to G1 after receiving the commit prepare message (3.1) from G1. In this case, gateway G1 may conclude that the message is lost and simply abort the protocol run.


(c) Failure to transmit ACK-Final Receipt:

Another possible point of attack by a dishonest gateway G2 may occur by the gateway intentionally failing to transmit the ACK-Final-Receipt (3.7) in response to a the Commit-Final Assertion message (3.5) from gateway G1. Here, the senser gateway G1 may conclude that the message is lost and will assume that the transaction has reach finality in network NW2. The sender gateway G1 has retained the previous Lock-Assertion Receipt (2.4) in Stage-2 that was signed by G2, indicating that the gateway G2 has accepted the responsibility of ensuring that the asset-assignment (3.6) by G2 will be correctly executed. Failure by G2 to complete this task becomes a financial and legal liability for the owner of gateway G2.


(d) Other?

--- --- --- ---



--thomas




From: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com<mailto:vramakr2@in.ibm.com>>
Date: Tuesday, March 12, 2024 at 2:59 PM
To: Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>>, ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net> <ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>>, sat@ietf.org<mailto:sat@ietf.org> <sat@ietf.org<mailto:sat@ietf.org>>
Subject: RE: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
FYI, we did discuss security threats a couple of months ago on this mailing list: https://mailarchive.ietf.org/arch/msg/sat/CPTQfYeEH0acV_5ryeBdCEPAD0c/. The outcome was that “12. Threat Model Considerations” was added to the architecture draft.

Rama

From: Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>>
Sent: Wednesday, March 13, 2024 12:13 AM
To: VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com<mailto:vramakr2@in.ibm.com>>; ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>; sat@ietf.org<mailto:sat@ietf.org>
Cc: Thomas Hardjono <hardjono@mit.edu<mailto:hardjono@mit.edu>>
Subject: [EXTERNAL] Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

Thanks David and Rama, One useful analogy at the protocol level is to compare the function/purpose of the SATP protocol with the function/purpose TLS1. 2 protocol (RFC5246). The TLS1. 2 spec defines the behavior of the client/server to establish
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
    Report Suspicious  <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/AdhS1Rd-!-HFV_fb-Xk972ls5DoWgMWW79oH20YfNH8hjCg3JlqiuFsXT2NITBT7QRPylcK8cqNSq3CDVQ6pUL0xR8KH4JB2dmkL9SjtYZgBubMWLl0x9qJWTlFfUIpU1ph2Fp4CrUIPjIw$>   ‌
ZjQcmQRYFpfptBannerEnd
Thanks David and Rama,

One useful analogy at the protocol level is to compare the function/purpose of the SATP protocol with the function/purpose TLS1.2 protocol (RFC5246).

The TLS1.2 spec defines the behavior of the client/server to establish keys amd secure session etc., but the RFC does not say _how_ to implement a TLS Server.  The server could be a standalone box, a microservice in a private cloud, or on a public cloud.  In each of these cases, the actual implementation quality and attack-resistance will vary.

Similarly, the SATP-Architecture and SATP-Core defines the behavior of gateways (which we call Client/Server in SATP-Core). It does not say how to implement a Gateway in a relatively attack-resistant manner.

A useful part of RFC5246  is its Appendix F (Security Analysis), which discusses some of the possible attacks and some strategies to counter them.  Even there, the Appendix does not explain how to implement against these attacks.

Perhaps SATP-Architecture (or SATP-Core) could be improved by adding an Appendix discussing the Security Threats.

What do folks think?


Best
--thomas



From: sat <sat-bounces@ietf.org<mailto:sat-bounces@ietf.org>> on behalf of VENKATRAMAN RAMAKRISHNA <vramakr2@in.ibm.com<mailto:vramakr2@in.ibm.com>>
Date: Tuesday, March 12, 2024 at 1:33 PM
To: ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net> <ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>>, sat@ietf.org<mailto:sat@ietf.org> <sat@ietf.org<mailto:sat@ietf.org>>
Subject: Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02
David,

In my opinion, SATP doesn't require "everybody" to be honest, but just requires that each counterparty network be "collectively honest", i.e., maintain internal consistency and have the capacity to thwart insider Byzantine failures.

Further, if a gateway acts dishonestly, "honest" counterparty networks will be able to find out through an audit (which is not as satisfactory as a prevention, but it may be the best we can get in a completely decentralized setting.)

Your point about SATP coming under intense threat (and scrutiny, if it handles large-valued assets) is very well taken though. We do need to make the security assumptions and caveats crystal clear. IMO the design principle of network opacity as mentioned in Section 3.1 covers the point about collective network honesty as it tells users that, from SATP's perspective, the network is a unitary entity that has delegated asset transfer privileges to a gateway.

Rama

-----Original Message-----
From: sat <sat-bounces@ietf.org<mailto:sat-bounces@ietf.org>> On Behalf Of ladler2@bellatlantic.net<mailto:ladler2@bellatlantic.net>
Sent: Tuesday, March 12, 2024 9:45 PM
To: sat@ietf.org<mailto:sat@ietf.org>
Subject: [EXTERNAL] Re: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02

Hi:
  I have a problem with the architecture document because it contains only small sections related to security.
The SAT process will come under intense threat from external theft and internal fraud.
The architecture document focuses on a clean asset exchange where everyone is honest and uses well tested software.

I am not an expert on blockchain or related technologies so the experts in the WG should add to the architecture document the features necessary to deal with the threats.

Question:  Do we want to revisit the architecture document when the threats to the SAT process are enumerated?

David Millman

-----Original Message-----
From: sat <sat-bounces@ietf.org<mailto:sat-bounces@ietf.org>> On Behalf Of Wes Hardaker
Sent: Saturday, March 9, 2024 9:08 AM
To: sat@ietf.org<mailto:sat@ietf.org>
Subject: [Sat] WG Last Call for comments: draft-ietf-satp-architecture-02


Greetings all,

The authors have requested that draft-ietf-satp-architecture-02 be placed into WG last call and after a review by the chairs we agree it's ready to progress forward.  I have some personal comments that I'll submit during last call, but nothing substantive or process-problematic that should hold up it progressing.  Thus, we have changed the document's status to being in WG LC and have set a deadline of 4 weeks from now.  Thus, WG LC will end on April 6th, AOE (anywhere on earth).

We encourage all participants of the WG to read the document,  suggest any changes you feel are needed from simple editorial suggestions to calling out major issues you find with the document.  WG participants should also express their opinions about whether or not the document is ready to progress and you support it's publication.

All comments should be sent to the mailing list.

--
Wes Hardaker
USC/ISI

--
sat mailing list
sat@ietf.org<mailto:sat@ietf.org>
https://www.ietf.org/mailman/listinfo/sat

--
sat mailing list
sat@ietf.org<mailto:sat@ietf.org>
https://www.ietf.org/mailman/listinfo/sat

--
sat mailing list
sat@ietf.org<mailto:sat@ietf.org>
https://www.ietf.org/mailman/listinfo/sat

v2.23.0 | Report a Bug | By Email