Re: [Secdispatch] Dispatching draft on key consistency
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 11 March 2022 23:41 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5CFF3A133A for <secdispatch@ietfa.amsl.com>; Fri, 11 Mar 2022 15:41:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yaYnSo901M8w for <secdispatch@ietfa.amsl.com>; Fri, 11 Mar 2022 15:41:12 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27CCB3A07A7 for <secdispatch@ietf.org>; Fri, 11 Mar 2022 15:41:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id CAA6938A1E; Fri, 11 Mar 2022 18:50:44 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id NnmIHOIlKARe; Fri, 11 Mar 2022 18:50:29 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 6A48538A16; Fri, 11 Mar 2022 18:50:29 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1647042629; bh=q+gzYNN4zv9O0+65SgGw6D3CHGmLz4PlTbGT/hNVzZM=; h=From:To:Subject:In-Reply-To:References:Date:From; b=lRMePC+w+cQ13WfiCFabWEXqRNU3BbR++qTFG15whTglTMDgYfaClNlV6og8SeeSJ VEltKmqqiGicC2WY5In2Vv27Jj3iGizu/aQrpI3X57bVYOK9EI30PjweEI+ZE335hg T4W+bABf5+zhBolkhTE/Z3tFZ8mWkoq3deAYIyTfGTdulBQAALLw9VuSfMAJAUexxm xd/4+ovQnH2NVmArJ+CujwR8rxvHYcLG52GJjz3LpPjeVPaLJmanrCF6Ca8+M4LwcN 3U8gzIbWpzPHpeWkF4Gpyd8k0jKvpUWOpjcfF442YPNmaAXgDlr+EaXHOdQqew16MP Bv4pOd7N+ZEIw==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id D703265E; Fri, 11 Mar 2022 18:40:53 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Christopher Wood <caw@heapingbits.net>, secdispatch@ietf.org
In-Reply-To: <1C782443-5FDE-4847-8F47-997DDCD0DDE3@heapingbits.net>
References: <8BB73374-E38C-40A5-A147-F469B8C24D01@heapingbits.net> <24889.1646506998@localhost> <1C782443-5FDE-4847-8F47-997DDCD0DDE3@heapingbits.net>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 11 Mar 2022 18:40:53 -0500
Message-ID: <1699.1647042053@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/pGstPZmdoTW86_Ya4j5YNhcQD7U>
Subject: Re: [Secdispatch] Dispatching draft on key consistency
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2022 23:41:17 -0000
Christopher Wood <caw@heapingbits.net> wrote: >> "somehow" ... such an attacker can substitute any on-path attacker key. >> I don't see how this is distinct from all the other attacks. > The problem here is, say, forcing one single client to use key A and > all other clients to use key B. The attacker would then be able to > identify the individual client whenever key A is used. I understand. >>> [4] https://datatracker.ietf.org/doc/draft-wood-key-consistency/ >>> [5] https://datatracker.ietf.org/doc/slides-110-privacypass-key-consistency-and-discovery/ >> >> In reviewing the documents, it seems that it's not "somehow", it's >> that the proxy has been >> persuaded to collude with a third party. Perhaps that would be better to say. > It’s not clear to me what you mean by "the proxy” here. The document > doesn’t make any assumption about a proxy. Indeed, direct discovery a > la section 4.1 > (https://datatracker.ietf.org/doc/html/draft-wood-key-consistency-02#section-4.1) > involves only client and server. Would you mind clarifying what you > mean? Oblivious DoH and Oblivious HTTP involve some kind of intermediary. Maybe calling it a proxy is incorrect, but there is a third party. >> Perhaps "persuaded" is the wrong term as well, since I think that the goal is >> to defend the proxy against NSLs that would force the proxy to collude. >> >> What is needed is a kind of canary such that for clients can detect when they >> are being singled out, and then refuse to operate with that proxy. By >> existence of such a mechanism, proxies can effectively render themselves >> useless to such forms of "persuasion". > The purpose of key consistency is to give clients a way to ensure they > are not being singled out, not to tell clients when they are being > singled out. These seem like different sides of the same coin, no? Hard to prove a negative. Easier to give them a way to recognize a positive, I think. Either way, what does the client do when it figures out it has been singled out? If the goal is to hide in the crowd, then if there is a spotlight on you, better act "normally" right, and not give away that one has figure out one has been found out? The client probably needs to go ahead and pretend it hasn't been singled out, and do some innoculous transactions anyway, right? -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Secdispatch] Dispatching draft on key consistency Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Michael Richardson
- Re: [Secdispatch] Dispatching draft on key consis… Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Michael Richardson
- Re: [Secdispatch] Dispatching draft on key consis… Christopher Wood
- Re: [Secdispatch] Dispatching draft on key consis… Eric Rescorla