[tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-options-33.txt

"touch@strayalpha.com" <touch@strayalpha.com> Wed, 11 September 2024 18:14 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34790C14F713 for <tsvwg@ietfa.amsl.com>; Wed, 11 Sep 2024 11:14:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FFQxEYmQm-5C for <tsvwg@ietfa.amsl.com>; Wed, 11 Sep 2024 11:14:02 -0700 (PDT)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B6E6C14F712 for <tsvwg@ietf.org>; Wed, 11 Sep 2024 11:14:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=1ZnPQnSLFkV+dyksrjsTkvkyPsg9i1aKZIf2nRvFK4k=; b=JkCiDeHcmH3sifZy/n5dpK1E0E TJCMX94ap8RQwAOc7GD0A0uet9Ta2JQlTPwn9fpbTMgGs+sxuw+1F88ZUDSZpyVqHuV+TqwQzIHlp ESZPmMu1qji8a/lerQ5akgB4+v0em7p3vBvUXQ2dK2ZIknXQ5wg4Vw800JGzqtucqKz2wRnwG/nn4 qRvpyFUaMVVwx/hPb2VbM6DES22t2D21cV7UHLN55g3Nsl2q/FHunAWtyID633TFbh4MRv2PyiSeb k6NKzlNkUxFzu/K52fMmzr5GxQC1YQ3LRP6WLC79sAfEPiv2yp0UJQvNdg7B4vq9K0fuf1xYlxLkf 54lJ5R/w==;
Received: from [172.58.208.157] (port=62187 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <touch@strayalpha.com>) id 1soRqs-005shs-2H; Wed, 11 Sep 2024 14:14:00 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_603FDE73-80C3-4CA8-A138-4A8BF4964852"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <CALx6S36M-rw+4AmrQp_UZTLwt+jCXO=vR1za-=fxQe9ODX7h4Q@mail.gmail.com>
Date: Wed, 11 Sep 2024 11:13:48 -0700
Message-Id: <8AF179F7-E909-461D-91A4-1E53A1078131@strayalpha.com>
References: <172550306709.1770786.15730705299947048772@dt-datatracker-68b7b78cf9-q8rsp> <4BA70A7D-AB39-4EED-82DB-7BDF9C3AC064@strayalpha.com> <e1a66d25-4c33-4e78-a182-8f5a06a6a750@erg.abdn.ac.uk> <CALx6S37th5ZzKVxJxZL2S3_WH-SAUxs0x5_kTLYr+PuYMSe4eQ@mail.gmail.com> <d71d390e-ffab-4f20-9b30-567a53c44cc9@erg.abdn.ac.uk> <CALx6S35hWYUgZqdaYharL3k1BviXkXvBFEnVUNd=yVsTfzbK8g@mail.gmail.com> <da02c827-cfd2-4fb7-a047-1b71dc806142@erg.abdn.ac.uk> <B1CED44D-A3C0-4BF8-BA4F-198A96DAA854@strayalpha.com> <BB412B73-9B21-49BD-80AE-DB94E6FD01A1@gmx.de> <D8C1B4D0-1DE1-478E-804F-20D8D4964AF9@strayalpha.com> <1C7A0E1F-E150-4F05-BE26-6FDC54412191@gmx.de> <9AA60AF0-06F8-456A-B995-FDB52883B7A7@strayalpha.com> <CALx6S35Rv4XzJxxYNUsu2sf=0Cks5PyBXXRmH8sqJj6COzb6Qw@mail.gmail.com> <BAF86E72-D047-47D6-8655-FD62A7F52BE7@strayalpha.com> <CALx6S36M-rw+4AmrQp_UZTLwt+jCXO=vR1za-=fxQe9ODX7h4Q@mail.gmail.com>
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3776.700.51)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Message-ID-Hash: 6UY2SES26UJHHHKD63WJWLBWYKFWMOX3
X-Message-ID-Hash: 6UY2SES26UJHHHKD63WJWLBWYKFWMOX3
X-MailFrom: touch@strayalpha.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsvwg IETF list <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Re: I-D Action: draft-ietf-tsvwg-udp-options-33.txt
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/xPQEJ7m99bo8H0SWeiS1YPtvriA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

Hi, Tom,

> On Sep 11, 2024, at 9:44 AM, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
> 
>> I would be glad to discuss new perspectives further, but continuing to claim that *defaulting* AUTH as OK to accept regardless of the check result is the same as saying every signed email you receive should be dropped when you lack the key - or try to read them on a device that doesn’t support signatures.
> 
> Joe,
> 
> Email has the same problem. If you accept a signed email without
> validating it then you are potentially accepting a forged email.

Yes - and many people do that. This email and yours included, because neither is signed.

> That
> is a problem. The sending user didn't sign the email just for fun or
> to waste compute cycles, they did it because they want to protect
> THEMSELVES.

Yes, but they do - as per my other note, when I send signed work emails, that means that a user CAN read it on any device, but can now - or later - check to make sure its authentic if they want. If they don’t, that’s also fine too.

My signature, like that on a check or a contract, isn’t authenticated immediately. It’s the receiver’s option to decide if and when to authenticate. But it serves a purpose for me - the ’sender’ - to ensure that IF and/or WHEN something is challenged, it’s there for that purpose.

> If the receiver does accept a forged email because they're
> too lazy to authenticate it, then when the user incurs damages because
> of that laziness, liability is going to rest on the receiver.

Sure - just like banks not checking signatures on checks more than a certain amount or more than a few in a day from the same person. BUT, *after the fact*, those signatures still serve a purpose to determine whether the data was valid or not.

The nice thing about letting the receiver decide, for authentication, is that:

	a) they decide whether they want to support the feature (code complexity, size)
	b) they decide whether or when they want to invoke the validation (can save power and cycles, e.g., on portable devices)

> You seem to assume that only the receiver has a vested interest in
> secure communications.

I am not. I am, however, assuming that authentication isn’t like encryption.

The sender decides whether they need the “insurance”.
The receiver decides whether they want to assume the risk.

There are two parties there. The sender shouldn’t decide whether the receiver accepts the risk. The fact that this is true for AH is an artifact of the way IPsec needed to be implemented - effectively, all IPsec variants are UNSAFE because they can only be placed inside encapsulations.

Consider that this might have been the very reason AH isn’t used - that it wasn’t possible as a “SAFE” option for IP.

>> 
>> That’s basically a complete proof of why AUTH needs to be SAFE.
>> 
> 
> Hardly. If you want to prove that you need to show that ignoring Auth
> does not introduce a security risk for users.

See above. It introduces risk on them that it is THEIR decision to assume or not.

Joe