Re: [Trans] Threat model outline, attack model

Stephen Kent <kent@bbn.com> Wed, 01 October 2014 14:32 UTC

Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024081ACDD8 for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 07:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.987
X-Spam-Level:
X-Spam-Status: No, score=-4.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pgutExzoh-dv for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 07:32:08 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9437A1ACDCF for <trans@ietf.org>; Wed, 1 Oct 2014 07:32:06 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:43503 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1XZKx2-0005OM-1H; Wed, 01 Oct 2014 10:32:20 -0400
Message-ID: <542C1063.50404@bbn.com>
Date: Wed, 01 Oct 2014 10:32:03 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Ben Laurie <benl@google.com>
References: <5411E511.1040605@bbn.com> <CABrd9STmog8-JZCg9Tfv_ToUswY=9LBcZAPQM2cqUVcO0dhAnQ@mail.gmail.com> <54173589.3000404@bbn.com> <CABrd9SRShqm1r-2ajbqD5w1s686ciyjcEvywsXZaapgmi57NsA@mail.gmail.com> <54242F8A.2080602@bbn.com> <CABrd9SSwAdv-mAgofNT6bMWky7q=bZhAaX=L4gZUQDkROQ-3ZA@mail.gmail.com> <54258AF0.7090602@bbn.com> <CABrd9SQNXHdJQCC3JQJirqdkg_ub0oXCkxPqit9H6LjUPqNioA@mail.gmail.com> <54297249.1090409@bbn.com> <CABrd9ST59Yd3GDjxMiX9jMg68_BRd2_v0Mpo8u_oW1zM1VWjjA@mail.gmail.com>
In-Reply-To: <CABrd9ST59Yd3GDjxMiX9jMg68_BRd2_v0Mpo8u_oW1zM1VWjjA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/tyG7lY6VYEfvHA3_hFqroPeNpt0
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Threat model outline, attack model
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 14:32:11 -0000

Ben,

> ...
>> Again, I disagree. We should define what we can and make design decisions
>> based on that definition. Anything else that might be considered
>> mis-issuanve,
>> is out of scope for purposes of this work. This is the sort of delineation
>> that
>> we often impose on RFCs; we define a scope for a standard and declare that
>> other
>> stuff is out of scope, relative to the standard.
> Then perhaps we should have a broader scope. Focusing on mis-issuance
> seems to lead to all sorts of, IMO, unnecessary complications.
I'm may get in trouble for saying this, but it seems as though the 
"complications"
to which you allude are just the result of taking the terms that have 
been used
to motivate development of CT and making them concrete, rather than 
ambiguous.

If a "broader scope" means using more ambiguous terms, I can't see why that
would be an improvement.
> It might be simpler to define CT as a mechanism for allowing the
> public examination of the contents of all issued certificates, without
> getting into exactly what might be done as a result of that
> examination. Detecting mis-issuance is, of course, an obvious example.

I'm very bothered by your suggested change of focus. For me, this 
characterization of
CT is way too vague for an IETF security standard (vs. an experimental RFC).

It leads a reader to imagine that we don't have a simple, sound, 
defensible argument
for why we're pursuing this technology. It has the flavor of "CT is 
obviously good,
so let's just do it."  (pardon me for putting words into anyone's mouth.)

Steve