Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt

Eric Rescorla <> Mon, 15 July 2019 00:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 428D912001A for <>; Sun, 14 Jul 2019 17:34:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KP37vQMV8kHN for <>; Sun, 14 Jul 2019 17:34:12 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7D97B12009E for <>; Sun, 14 Jul 2019 17:34:10 -0700 (PDT)
Received: by with SMTP id i21so14373508ljj.3 for <>; Sun, 14 Jul 2019 17:34:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z9rkWk9v2WlIyeEZ2QDYLGT2TpQRFMvMfs7x/hZ0kq0=; b=MZ6AwemFNuPGc4/7mNmG48NZamSAkzIvkU+dmS+iZWfjfUa+BKwRh/B99ROH5CICE6 3+xxluCsM5YirH1dVQX0ky65tdmwxWbWD4cQ6he9MgSXHaLOjm83TWgr5G6NxSgm6krr yC6eQTyWc4qO9YrR8o9qbI7h5aBF0FM49SpLxwFKM6GtlaQFgRGbtXWncUEsuAO/ryov RUVHzDHNXaDGpjyIJFow1pf1Rqq1sGd4himBA24ym4Z0R9NYbhoAhil9Y7/pNtJ7GIRO 5pG+udBGJPASZMfhuAfKMHWazn8+1784cP/XqCKMyXCNGKpB4lRo3P7CSFkCC7K3VmBB eapQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z9rkWk9v2WlIyeEZ2QDYLGT2TpQRFMvMfs7x/hZ0kq0=; b=IWhNc+bkxGpFF+FuRLSeZnWEf/fq8LohqyMcKarqR9Y3ktleB+WW8xucX7iR6L/lmx w1GJhnPk2/Tpa/V3gLpQwWJ46KszS5BUsrmLvJ8vCFbivnlYkmFWmEQI44gIjQrjMG4q KFRQOZnwoL+1RvJIX8hq8tCpQXiXS/2Hu31hpLX8gHNEP8MUQiCsrCmQsRUxu0ed41sk BXWLjywtU86pktZsyM0/XLwTiBndwYzTheZOu4Pkwg2wFRAfxPU6DHV5RMoBjPWppqSG DGJ/WXEs6InMSv2Us9nCJlN/UaHPvYf3Ay/o40vyiC5YqfBJSRwTfSKam8Soajqhxnbf fBvQ==
X-Gm-Message-State: APjAAAWQnqc9uasSy8pmhKQPNxEjUqFd+pNW1evN7+yjmvfp4XbbTYdF MdTujifqq/J5A3YM7VuP/jr7PburIUe3keetPN4=
X-Google-Smtp-Source: APXvYqw6heQzDgmHxVWJ0RWnCBG6y+YpZUGREfUEwSNBl4QGQ1Xg5zmdCwXQjqWuLAPB7wKLGZn4/N24BNzot2nGabg=
X-Received: by 2002:a2e:8892:: with SMTP id k18mr12524142lji.239.1563150848732; Sun, 14 Jul 2019 17:34:08 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Sun, 14 Jul 2019 17:33:32 -0700
Message-ID: <>
To: Phillip Hallam-Baker <>
Cc: Stephen Farrell <>,, Kathleen Moriarty <>, Dominique Lazanski <>, IETF SecDispatch <>
Content-Type: multipart/alternative; boundary="00000000000011c2d1058dad6be9"
Archived-At: <>
Subject: Re: [Secdispatch] [Smart] New Version Notification for draft-lazanski-smart-users-internet-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Jul 2019 00:34:14 -0000

On Sun, Jul 14, 2019 at 5:27 PM Phillip Hallam-Baker <>

> On Sun, Jul 14, 2019 at 5:25 PM Eric Rescorla <> wrote:
>> I more or less agree with Stephen's position.
>> First, I recognize that this focus on secure endpoints talking to each
>> other is probably the part of 3552 that people are most unhappy
>> about. As I was almost certainly the person who wrote that text, it might
>> be helpful if I laid out some background.
>> First, RFC 3552 isn't intended to say that endpoint threats aren't
>> real, but merely that they are out of scope because they are hard
>> to address. Here's the text in context:
>>    The Internet environment has a fairly well understood threat model.
>>    In general, we assume that the end-systems engaging in a protocol
>>    exchange have not themselves been compromised.  Protecting against an
>>    attack when one of the end-systems has been compromised is
>>    extraordinarily difficult.  It is, however, possible to design
>>    protocols which minimize the extent of the damage done under these
>>    circumstances.
> Hmm... restricting the requirements according to what problems we think we
> know how to solve seems to be a bit of a systematic problem in the
> industry.

Without taking the position on the industry as a whole, the E in IETF
stands for "engineering", so I think trying to solve problems we know how
to solve is prudent. As the list of things we know how to solve increases,
then we ought to attempt to solve those as well.

First, I'm not sure that I agree that cyber attacks on endpoints are
>> the greatest threat to the Internet, but even assuming that's so,
>> what are the implications of that for work in the IETF? It's one thing
>> to change the words of 3552, but what work specifically would we
>> do if those words were different.
> I'm not keen on the focus on the end point. It seems like it is brought up
> as a trump card to 'prove' that all security efforts are futile and the
> criminals must always win.

Well, that's certainly not my position.

Endpoints don't require standards in quite the same degree. But that
> doesn't mean that nothing we do is relevant to endpoints.

Nor is this.


For example, forget 95% of trustworthy computing, the main residual
> vulnerability of crypto protocols is the risk of private keys being leaked
> off the machine. That is an endpoint security control that provides real
> leverage for relatively little cost. But it is a mechanism that can only be
> used in communication protocols if they are designed with that constraint
> in mind.