08:16:56 RRSAgent has joined #strint 08:16:56 logging to http://www.w3.org/2014/03/01-strint-irc 08:17:12 rrsagent, set logs public 08:26:21 jphillips has joined #strint 08:31:07 Ted_ has joined #strint 08:31:10 wjontof has joined #strint 08:55:33 JoeHallCDT has joined #strint 08:55:54 scribenick: JoeHallCDT 09:00:52 for remotes: the room is still quite unsettled 09:02:21 sftcd has joined #strint 09:04:02 Zakim has joined #strint 09:04:34 woo! 09:05:08 wish we could "skin" Zakim… e.g., for old-school U.S. hip-hop fans it could be "Rakim" 09:05:40 scribenick: JoeHallCDT 09:07:13 jphillips has joined #strint 09:08:00 JoeHallCDT has joined #strint 09:10:00 we're starting 09:10:23 Farrell: we'll discuss breakouts at the end of this session 09:10:45 mnot: I've been asked to intro opportunistic encryption (OE) 09:11:02 … 7 papers submitted on OE or OA 09:11:28 … (summarizes 07, 12, 27, 32, 40, 66, 46) 09:11:42 arobach has joined #strint 09:11:47 … mnot's is 12, won't discuss much 09:12:03 … 40 deep-dive on OE… not as relevant for a high-level discussion 09:12:24 … 66 good survey of how OE is already used (IPSec, VOIP, NAT, TLS) 09:12:37 … starts to collect relevant terminology… very important to know what we mean clearly when we say OE 09:12:54 … mnot was saying "optimistic" originally [laughs] 09:13:05 … 07, 27 discuss what "most people" seem to mean by OE 09:13:10 mcmanus has joined #strint 09:13:21 … tries to understand the risks and benefits of OE 09:13:46 … 07, 27 are good places to start in mnot's opinion 09:14:08 … 32 proposes tcpcrypt as a low-cost way of getting OE in the stack 09:14:13 Jiangshan has joined #strint 09:14:17 … first paper that separates encryption from auth 09:14:22 PhilippeDeRyck has joined #strint 09:14:33 DThaler has joined #strint 09:14:44 … 46 very similar. proposes a secure password store that does not allow the passwords to go out, but used for auth… combined with PAKE 09:14:54 … related things besides these papers 09:15:05 … mnot is about to get all HTTPBis on us all 09:15:33 … TLS for HTTP URIs… not sure if it will be authenticated or not just yet 09:15:45 … lots of concerns about what happens when we allow OE 09:16:01 ldaigle has joined #strint 09:16:01 kodonog has joined #strint 09:16:35 … opportunity cost: what would we miss out by focusing on OE 09:16:49 … folks in the WG submitted a draft talking about an "explicity proxy" 09:17:00 fluffy has joined #strint 09:17:02 s/explicity/explicit/ 09:17:04 … allows a HTTP proxy that can view content 09:17:19 hildjj has joined #strint 09:17:57 dka has joined #strint 09:18:09 grothoff has joined #strint 09:18:12 … Brad Hill from ebay pointed out this goes from two states of security (HTTP/S) to three (Auth or not) 09:18:26 … lot of dependence on unauth connections 09:18:44 … captive portals, virus scanning, policy enforcement, optimization 09:18:46 did Mark actually say pervasive monitoring at all yet? 09:18:59 … TLS MITM is becoming more common 09:19:31 … some suggested discussion points 09:19:46 … terminology. lets' not use "OE" because it causes confusion 09:19:58 … auth vs. anonymous 09:20:10 … fail-safe vs. fail-silent 09:20:20 … (argument ensues about terminology point) 09:20:54 … 2. ratholes to avoid 09:21:03 … specific tech/solns 09:21:13 … speculation on UI/UX 09:21:27 … (it's very important but not for us to talk meaningfully) 09:21:34 … not the right people in the room 09:21:38 … 3. Questions 09:21:39 but we have a breakout session on it 09:21:52 … is protecting against PM worth the risks? 09:22:07 … confusing users, encouraging relatively trivial attacks 09:22:19 … is the use of encryption without auth appropriate? 09:22:23 [the breakout could be about recoginizing the importance of UX/UI, not designing the interfaces right here] 09:22:30 … is failing encryption silently appropriate? 09:22:42 … are either appropriate for new protocols 09:23:00 … are there alternate ways to overcome deploument issues of "full" encryption? 09:23:19 … finally, what other work is impliated by ubiq-encrypt? 09:23:40 SMB: let the games begin! 09:24:22 Dave Crocker: would like to challenge a premise that was put forward twice 09:24:29 … about getting confused for having more states for security 09:24:42 … the assumption is with HTTPS that we don't already have a lot of confusion 09:24:48 … users don't undersand HTTPS 09:24:58 donnelly has joined #strint 09:25:03 … we should stop using the word security… means too much and too little 09:25:33 Larry Masinter: there's a gap b/w protecting against PM... 09:25:46 … does OE help at all? 09:25:56 Farrell: enc does help! 09:26:01 Larry: not clear to me. 09:26:16 … not clear to the vulnerable populations… mainly concerned about phishing or use of private info. 09:26:45 … since this doesn't protect against active attacks 09:26:47 [even so, that doesn't mean we shouldn't protect the other parts of the population] 09:26:54 … interferes with anonymizers 09:27:12 @@: start with terminology 09:27:15 dacheng has joined #strint 09:27:19 dacheng has left #strint 09:27:22 ldaigle has joined #strint 09:27:22 … when we talk about fail-safe, that's not right… 09:27:33 … it's about do we succeed at all in getting encryption 09:27:47 Ted_ has joined #strint 09:27:55 cabo has joined #strint 09:28:00 @@@: there are more states in the world than auth/unauth 09:28:10 s/@@@/Danezis/ 09:28:10 s/@@/Max Pritkin/ 09:28:25 … having after-the-fact evidence of MITM is very valuable 09:28:26 dacheng has joined #strint 09:28:48 … we should rephrase this whole auth/noauth debate into what kind of evidence do you have that you're speaking to the right person? 09:28:56 … not just a binary thing… much more nuanced 09:29:13 Coop: cute setup! 09:29:25 … user confusion is an issue but we can't talk about it? 09:29:40 … very important as this problem is conceptualized too much about what will be exposed to users 09:29:51 … no reason that OE can't be hidden entirely from users 09:29:54 W3C has joined #strint 09:29:59 (lots of hear hears!) 09:30:15 DKG: was going to say that as one point... 09:30:29 … confusion is not possible to talk about without some UI discussion 09:30:42 Ted_1 has joined #strint 09:30:42 … there are existing mechanisms that expose things like this… OTR is an example 09:30:57 +1 to usability being a vital topic here. 09:31:01 … also, the other axis… auth/anonymous… should be auth/no auth 09:31:31 mnot: to be clear: not suggesting terminology that should exist past 10:30a GMT today 09:32:00 Peter Resnick: want to reenforce that we really want to have no user exposing of the details at all 09:32:05 … if they are seeing it, it's a mistake 09:32:22 … to Larry's point, does not believe for a minute that this is not helpful in some way 09:32:33 … claim is that this doesn't allow anonymizers to work is rubbish 09:32:41 … now you fail in cleartext 09:32:55 … would much rather have underlying encryption that helps users not be in the clar 09:33:02 s/clar/clear/ 09:33:29 Kenny Patterson: speaking on behalf of cryptography community (apologizes for that)... 09:33:37 … OE has a very specific meaning in crypto community 09:33:44 … very different from what we're talking about here 09:33:50 … have no idea what to call it 09:34:08 PHB: thinks that the term fail-silent may be confusing... 09:34:16 … wants "succeed-silent" 09:34:37 … wants there to be an IETF rule that there can be no "Do not talk about the UI" from henceforth 09:34:55 … we already have OE… it's called Domain-validated certs without checking OCSP 09:35:08 … all browsers do this for the sake of shaving ms off of latency 09:35:20 PHB is so right about succeed-silent 09:35:22 … some folks are determined to make us secure only with low latency 09:35:41 hildjj has joined #strint 09:35:44 Steve Kent: with regard to use of pseudonymous creds, we do need to be careful 09:36:07 … given the confusion with UI, we shouldn't assume [something] 09:36:29 … things that encryption by default is not always a good thing, in net 09:36:49 … the use of battery on mobile devices should be part of the discussino 09:37:03 SMB: half of people have spoken that UI is iimportant 09:37:22 (asks for a show of hands… rules that the overwhelming sense of the room is that it is important) 09:37:38 Russ: many years ago, SMB and Russ wrote a draft about automated key mgmt 09:37:45 alfredo has joined #strint 09:37:55 … need a similar statement where if you have an environment that supports encryption, it should be on by default 09:38:15 Rigo: want to insist that we should decouple encryption and auth 09:38:40 … rigo's paper talks about how [something] is totally broken in auth across all protocols 09:38:48 … wants a cognitive scientist to weigh in 09:39:03 EKR: finds this discussion unmoored from reality 09:39:15 … at the HTTP interim in Zurich we talked about this 09:39:38 … encryption tied to an auth cred, although not authenticated encryption 09:39:54 One question that seems to be missed here: if the goal is to raise the cost to the attacker, does the inclusion of authentication increase those costs? The answer seems to me be yes, since it makes the cost of active attack much higher. 09:39:57 … when it came down to what we really wanted to do… we foundered 09:40:05 … some problems: 09:40:24 … 1. on side there was concern that network environments are important 09:40:39 … on the other side there were people that do not want encryption not tied to identity 09:40:58 … when we provisionally agreed to do this, trying to do it in HTTP was very difficult 09:41:06 … due to the interaction model and what servers can assume 09:41:17 … huge gap between "that'd be nice" and how to get there 09:41:17 Ted_1: this is true, but its not always an available option 09:41:26 mnot: doesn't think the discussion foundered 09:41:35 … ruled out the absolutish perspectives 09:41:40 … and are doing some testing 09:41:47 … it's TBD 09:42:11 smb: We haven't foundered, we're becalmed 09:42:25 Orit Levin: encryption helps with not only PM but a lot of other things 09:42:33 BenL: I agree, but if you are persuaded by the idea, then the question may be how to narrow the number of cases where it is not an available option and be transparent on the cases where it still is not. 09:42:46 … while we're talking about OE and auth/noauth… how can we talk about it when we don't know what auth or noauth is? 09:43:03 … there is a zoo of things in there 09:43:17 … what do we mean by auth vs. noauth? 09:43:35 Dan Appelquist: about usability 09:43:50 kenny has joined #STRINT 09:43:58 … when engineers talk about users, they mix usability, UI, UX, etc. 09:44:04 … they mix them all up 09:44:13 … what we're talking about here is "user considerations" maybe 09:44:33 … said well yesterday with "making it safe for users to buy stuff online" 09:44:43 … it's about what we want them to understand about security and auth 09:44:53 Ted_1: right, so that's why PAKEs and OS-level password stores are important: often I already have a password-authenticated relationship with the other end - we can leverage that up to authenticated channels 09:45:18 Dan again: dangerous to say that x protocol doesn't have a user 09:45:29 … for email, the user is the person reading the email 09:45:30 BenL: agreed 09:45:32 btw, "authenticated channel" vs "authenticated encryption" might fix the cryptographer confusion problem 09:45:38 … in IoT there are users connected by IoT 09:46:24 Pete Resnick: with psuedonymous the assumption is that there is no encryption at the auth level 09:46:46 … it's for the later step when you know what the connection is that you can name it something 09:47:06 ldaigle has joined #strint 09:47:14 Wendy Seltzer: speaks in favor of incremental improvements 09:47:15 wseltzer: wants incremental improvements 09:47:36 … can we recognize that encryption in the middle doesn't solve all problems but raises costs for the attacker 09:47:49 … don't want this incremental to block further ones that might do an even better job 09:48:14 … but because it doesn't solve all our problems, that's not a good excuse to not do it 09:48:26 Pat McManus: spent the past 6 months deep in this for HTTP 09:48:47 … unauth for HTTP URIs has a few very attractive properties and a few unattractive ones 09:49:02 … the biggest pro is that it's a drop-in replacement 09:49:24 … incentives have to be nontrivial to do things that are not so easy 09:49:39 … making this plug-and-play is crucial 09:49:48 … distinction between auth/unauth is not a binary one 09:50:00 … pinning is an example of a stepping stone 09:50:16 … has a FF build that does OE and alternate services 09:50:27 … will tweet out a link if you'd like to play 09:50:49 … neither Chrome nor Firefox will ship HTTP2 in an unencrypted fashion 09:51:01 … may be forced to compete on cleartext HTTP2 protocol 09:51:27 @@@@: with encrypting in the core... 09:51:39 s/@@@@/Melinda Shore/ 09:51:39 s/@@@@/Melinda/ 09:51:41 … on problem with UI, is that applications don't always know their security state 09:52:01 … middlebox issues are getting short shrift 09:52:22 … IETF/W3C are a bit disavantaged by not having network operators in the hizzy 09:52:28 dcrocker has joined #strint 09:52:31 … they're a big deal. 09:53:03 Eliot Lear: need to refine our threat model for middleboxes and OE 09:53:13 … if there are specific actions that we should take, please state them. 09:53:30 SMB: need to talk about the "trust model" of a middlebox environment 09:54:06 Ted Robie: what's the user expectation when a TLS setup is interrupted... 09:54:15 … one of the parties that doesn't know that is happening is the server 09:54:39 … there can be parties that are not aware that they may not be talking to who they want to be talking to 09:54:57 … one other point: for this threat model, what is it that accomplishes raising costs to attackers? 09:55:08 … agrees with Wendy that we want to think incremental 09:55:28 … there are a whole series of steps (e.g., TOFU) that go even further than just turning on enc 09:55:43 … not getting caught is a bit part of the attacker considerations here 09:55:53 … want to rais the attacker's costs as much as possible 09:56:05 … will force more targeted surveillance/attacks 09:56:05 s/Robie/Hardie/ 09:56:16 Ted_ has joined #strint 09:56:26 Leslie Daigle: wants to come back to Dan A.'s point about how users feel... 09:56:36 rrsagent, please draft minutes 09:56:36 I have made the request to generate http://www.w3.org/2014/03/01-strint-minutes.html rigo 09:56:37 … worked for Verisign when it did certs and cared about auth email 09:56:44 GregWood has joined #strint 09:57:03 … how the user feels is not something we can do about with network/software engineering 09:57:31 … we look at this unauth enc from what we can achieve and can we win with it 09:57:48 … if we do anything that changes the user's state of mind… rathole. 09:58:17 Steve Kent: it's not anon or pseudon enc, but keying... 09:58:26 … it's the key mgmt that gets us into this situation 09:58:36 … anonymous should be viewed in an accurate fashion… 09:58:46 we're not asserting an identity so that you can't infer one 09:59:15 … the problem with CAs/certs is that a pseudonymous auth and attack are not clearly distinguishable 09:59:39 Ted_1 has joined #strint 09:59:53 DKG: of the folks taling about UI, everyone is talking about end user 10:00:01 … there are other users… e.g., sysadmins 10:00:15 … however we do this, the sysadmin will feel like they've done enough 10:00:43 @@@@@: would like to raise a point for integrity... 10:00:58 … he cares much more about integrity than surveillance 10:01:06 s/@@@@@:/Alfredo:/ 10:01:14 … blocking an active attacker is very important for integrity 10:01:26 … the OE schemes proposed are not enough to get strong integrity protections 10:01:36 Kay Engert: doesn't like OE 10:01:53 … thinks it should be called "blurring" 10:01:57 … any encryption should use some sort of auth 10:02:06 … we focus largely on the CA model 10:02:08 s/Kay/Kai/ 10:02:17 … we should start to intro alternative forms of auth 10:02:40 … what about submitting a key to a public block 10:02:55 I think he means "locker", not block 10:03:01 But I may misunderstand 10:03:10 … email-validates self-signed certs are not a bad idea 10:03:19 s/validates/validated/ 10:03:21 he said public log 10:03:32 like in CT 10:03:33 BenL: thanks for the clarification 10:03:34 Melinda has joined #strint 10:03:34 … encryption is only encryption if you've coupled it with some sort of auth 10:03:36 ah 10:04:00 … user feedback that is really secure needs 2FA 10:04:31 Hannes T: in IETF there are folks that hope that some types of encryption aren't deployed... 10:04:33 s/???/Kai Engert/ 10:04:41 kaie has joined #strint 10:05:06 … some companies are selling boxes and wouldn't be happy with [encrypt everywhere] 10:05:42 Pete has joined #strint 10:05:46 PHB: if we assume the adversary is disclosur-adverse… we don't need to validate creds before we complete transaction 10:06:01 … if we can detect active attack subsequently, that's an important attacker consideration 10:06:27 … what about checking only in, e.g., 1% of cases, we can likely deter an adversary from an active attack 10:06:41 … as they wouldn't know if they're going to be detected 10:07:24 Max Pritkin: we need to think more about the sysadmin experience 10:07:36 rrsagent, make minutes 10:07:36 I have made the request to generate http://www.w3.org/2014/03/01-strint-minutes.html wseltzer 10:07:53 … these are ways of offloading security from the end user to the sysadmin, that might help 10:08:11 Linus tomberg: I think the auth/enc separation is very valuable for us 10:08:38 SMB closes layering discussion for a bit later 10:08:40 s/tomberg/Nordberg/ 10:08:53 RLB: notion of TOFU has been raised... 10:09:01 … wants to inject operational reality 10:09:23 … everyone has run into an SSH server where the keys have changed 10:09:35 … need some way of managing changes in keys for key continuity 10:09:43 … we have a pinning draft that has matured in websec 10:09:51 … not a lot of interest in deployment 10:10:09 … there are risks in mismanaging pins and accidentally shut yourself off the internet 10:10:17 … there are reall deployment concerns here 10:10:27 s/reall/real/ 10:10:54 SMB wants to focus discussion in a few areas: 10:11:06 … layering, separating auth from enc 10:11:16 … can't separate them cleanly 10:11:34 ldaigle has joined #strint 10:11:36 Hannes: are we talking about handshake? or what? 10:11:46 arobach has joined #strint 10:12:02 SMB: is hearing a lot of people saying let's separate how we do encryption with who is at the other end 10:12:15 … do people think this is the right way to go? show of hands. 10:12:47 (large but not overwhelming consensus… dispute on numbers) 10:13:10 Farrell: Russ and Cullen disagreed 10:13:37 Hannes says we do this now… people say that TLS doesn't do this 10:13:51 mnot: this has implications for UI 10:13:55 (room groans) 10:14:34 Farrell: maybe "we should not be tightly binding methods for end point authentication with how we do encryption" 10:14:39 (show of hands) 10:14:56 Eliot lear: I'd like to see a discussion written down about it 10:15:11 (hands had a lot of agreement with Farrell's statement" 10:15:33 EKR: someone give me an example! 10:15:44 SMB: unauth DHE to start the crypto and then you sign it later 10:16:07 SMB: on to comprehension issue 10:16:19 … what will people understand and how will this affect their behavior? 10:16:23 … does it matter? 10:16:24 sftcd: CMS requires a serial number before you can encrypt 10:16:24 other example was CMS requires issuer and serial number 10:16:49 … SMB doesn't know if his email server is using STARTTLS with any given recipient 10:17:13 PDE: one thing from Crome team… can't do this, won't do this because people won't do real HTTPS 10:17:25 SMB: we don't tell the users, we just do it 10:17:29 (rabble rabble rabble) 10:17:43 alfredo has joined #strint 10:17:46 mnot: this is the admin experience 10:18:27 Orit: it's not about the end-user or the sysadmin 10:18:39 … we need to make clear among ourselves what we're talking about 10:18:39 rrsagent, please draft minutes 10:18:39 I have made the request to generate http://www.w3.org/2014/03/01-strint-minutes.html rigo 10:19:07 Farrell: folks clearly will write a terminology RFC 10:19:21 SMB: another point that came up: who are the trusted parties/devices? 10:19:35 … who is going to assert/vouch for identities 10:19:45 Lear: this is an important question… session later 10:20:00 SMB: finally, the cost of these issues is important 10:20:08 … CPU, battery, comprehension costs 10:20:32 Dave Crocker: the list you have of things we need to work on is great. 10:20:49 … like that when we talk about actors involved, need to include users, sysadmins and us. 10:21:00 … what about goals? What is the "this" that we're trying to accomplish 10:21:15 SMB: talked yesterday about that, didn't want to raise it 10:21:23 Aaron Kaplan: layering and costs are very important points 10:21:45 … think about DNSSEC… good stuff, but big amplication factor in terms of DoS potential 10:22:02 jari: voluntary adoption works best in this case 10:22:10 … not forcing anyone to do anything 10:22:33 Jon Peterson: interested in what happens if nobody knows if encryption happens… will this spread to other places 10:22:43 … and what are the costs of that "slippery slope" 10:22:52 … you will have huge sizes and latencies eventually 10:23:14 already happens with ECC, right? Ethernet has a checksum, so does IP, so does TLS... 10:23:25 Steve Rogers: this can be difficult on a mobile network 10:23:33 … especially with satellite backhaul 10:23:50 BenL: you forgot TCP... 10:23:59 Linus Nordberg: layres should deal with that 10:24:14 Rogers: just want to acknowledge that these problems exist 10:24:32 … solutions now do things like remove encryption to improve things in restricted environments 10:25:04 PHB: we have a lot of companies with certs... 10:25:16 In an internetworking context, the presence of encryption on a particular path is not a guarantee that the encryption will continue to be present. Using at a layer that is not path dependent is required to retain confidence. 10:25:17 … and they don't turn on SSL except for auth and check-out 10:25:29 … in 1995 encryption was $$$ 10:25:34 dougm has joined #strint 10:25:49 … it's now cheap but we have remanants of these effects 10:26:40 @@@@@@: are we saying that there are cases when authentication is not desirable? 10:26:46 SMB: yes, that is in scope 10:27:11 @@@@@@: what about making auth more ubiquituous? 10:27:18 SMB: because it's particularly hard 10:27:39 Dana: if the point is to protect against PM... 10:27:54 … then we clearly want to encrypt as much as possible to avoid examination 10:27:55 hhalpin has joined #strint 10:28:20 @@1: an encrypted web is a less-cacheable web 10:28:34 … planes with satellite backhaul, the interplanetary web 10:28:56 Lear: there are entire countries that rely on caching... 10:29:11 s/@@1/Dan Appelquist/ 10:29:11 … can't ignore it. Let's not dismiss it. 10:29:21 Lear: Madagascar is one 10:29:33 (talking about break-outs) 10:30:43 Wendy: want an IRC channel for each of these 10:31:17 thanks, JoeHallCDT! 10:38:54 [breakouts in irc, subject to change: #research, #browser, #onbydefault, #measure, #opportunistic] 11:05:06 JMC has joined #strint 11:05:28 npd has joined #strint 11:05:50 jschlyter has joined #strint 11:05:58 dka has joined #strint 11:06:02 hildjj has joined #strint 11:06:37 cabo has joined #strint 11:06:41 [discussion of breakouts] 11:06:57 DThaler has joined #strint 11:07:07 Pete has joined #strint 11:07:26 Satoshi has joined #Strint 11:07:49 mcmanus has joined #strint 11:08:04 Thinking laterally, Why don't we just get the intel services to quiet down by giving them a copy of the Internet backup? 11:08:05 PhilippeDeRyck has joined #strint 11:08:55 Zakim has left #strint 11:10:02 scribenick: wseltzer 11:10:13 Topic: Metadata 11:10:15 JoeHallCDT has joined #strint 11:10:22 wseltzer: you missed #client from the list of breakouts 11:10:22 Alfredo: What is metadata? 11:10:56 kodonog has joined #strint 11:11:03 wendyg has joined #strint 11:11:04 dougm has joined #strint 11:11:16 metadata is the interesting data which is used to justify and execute drone strikes 11:11:25 ... "everything that is not encrypted is metadata"? 11:11:45 ... let's start there and get more precise 11:12:01 hhalpin has joined #strint 11:12:05 ... additional data added to the encrypted payload, e.g., addressing information 11:12:18 ... does identity need to be coupled with recipient address? 11:12:33