IRC log of strint on 2014-03-01

Timestamps are in UTC.

08:16:56 [RRSAgent]
RRSAgent has joined #strint
08:16:56 [RRSAgent]
logging to
08:17:12 [wseltzer]
rrsagent, set logs public
08:26:21 [jphillips]
jphillips has joined #strint
08:31:07 [Ted_]
Ted_ has joined #strint
08:31:10 [wjontof]
wjontof has joined #strint
08:55:33 [JoeHallCDT]
JoeHallCDT has joined #strint
08:55:54 [JoeHallCDT]
scribenick: JoeHallCDT
09:00:52 [JoeHallCDT]
for remotes: the room is still quite unsettled
09:02:21 [sftcd]
sftcd has joined #strint
09:04:02 [Zakim]
Zakim has joined #strint
09:04:34 [JoeHallCDT]
09:05:08 [JoeHallCDT]
wish we could "skin" Zakim… e.g., for old-school U.S. hip-hop fans it could be "Rakim"
09:05:40 [JoeHallCDT]
scribenick: JoeHallCDT
09:07:13 [jphillips]
jphillips has joined #strint
09:08:00 [JoeHallCDT]
JoeHallCDT has joined #strint
09:10:00 [JoeHallCDT]
we're starting
09:10:23 [JoeHallCDT]
Farrell: we'll discuss breakouts at the end of this session
09:10:45 [JoeHallCDT]
mnot: I've been asked to intro opportunistic encryption (OE)
09:11:02 [JoeHallCDT]
… 7 papers submitted on OE or OA
09:11:28 [JoeHallCDT]
… (summarizes 07, 12, 27, 32, 40, 66, 46)
09:11:42 [arobach]
arobach has joined #strint
09:11:47 [JoeHallCDT]
… mnot's is 12, won't discuss much
09:12:03 [JoeHallCDT]
… 40 deep-dive on OE… not as relevant for a high-level discussion
09:12:24 [JoeHallCDT]
… 66 good survey of how OE is already used (IPSec, VOIP, NAT, TLS)
09:12:37 [JoeHallCDT]
… starts to collect relevant terminology… very important to know what we mean clearly when we say OE
09:12:54 [JoeHallCDT]
… mnot was saying "optimistic" originally [laughs]
09:13:05 [JoeHallCDT]
… 07, 27 discuss what "most people" seem to mean by OE
09:13:10 [mcmanus]
mcmanus has joined #strint
09:13:21 [JoeHallCDT]
… tries to understand the risks and benefits of OE
09:13:46 [JoeHallCDT]
… 07, 27 are good places to start in mnot's opinion
09:14:08 [JoeHallCDT]
… 32 proposes tcpcrypt as a low-cost way of getting OE in the stack
09:14:13 [Jiangshan]
Jiangshan has joined #strint
09:14:17 [JoeHallCDT]
… first paper that separates encryption from auth
09:14:22 [PhilippeDeRyck]
PhilippeDeRyck has joined #strint
09:14:33 [DThaler]
DThaler has joined #strint
09:14:44 [JoeHallCDT]
… 46 very similar. proposes a secure password store that does not allow the passwords to go out, but used for auth… combined with PAKE
09:14:54 [JoeHallCDT]
… related things besides these papers
09:15:05 [JoeHallCDT]
… mnot is about to get all HTTPBis on us all
09:15:33 [JoeHallCDT]
… TLS for HTTP URIs… not sure if it will be authenticated or not just yet
09:15:45 [JoeHallCDT]
… lots of concerns about what happens when we allow OE
09:16:01 [ldaigle]
ldaigle has joined #strint
09:16:01 [kodonog]
kodonog has joined #strint
09:16:35 [JoeHallCDT]
… opportunity cost: what would we miss out by focusing on OE
09:16:49 [JoeHallCDT]
… folks in the WG submitted a draft talking about an "explicity proxy"
09:17:00 [fluffy]
fluffy has joined #strint
09:17:02 [wseltzer]
09:17:04 [JoeHallCDT]
… allows a HTTP proxy that can view content
09:17:19 [hildjj]
hildjj has joined #strint
09:17:57 [dka]
dka has joined #strint
09:18:09 [grothoff]
grothoff has joined #strint
09:18:12 [JoeHallCDT]
… Brad Hill from ebay pointed out this goes from two states of security (HTTP/S) to three (Auth or not)
09:18:26 [JoeHallCDT]
… lot of dependence on unauth connections
09:18:44 [JoeHallCDT]
… captive portals, virus scanning, policy enforcement, optimization
09:18:46 [sftcd]
did Mark actually say pervasive monitoring at all yet?
09:18:59 [JoeHallCDT]
… TLS MITM is becoming more common
09:19:31 [JoeHallCDT]
… some suggested discussion points
09:19:46 [JoeHallCDT]
… terminology. lets' not use "OE" because it causes confusion
09:19:58 [JoeHallCDT]
… auth vs. anonymous
09:20:10 [JoeHallCDT]
… fail-safe vs. fail-silent
09:20:20 [JoeHallCDT]
… (argument ensues about terminology point)
09:20:54 [JoeHallCDT]
… 2. ratholes to avoid
09:21:03 [JoeHallCDT]
… specific tech/solns
09:21:13 [JoeHallCDT]
… speculation on UI/UX
09:21:27 [JoeHallCDT]
… (it's very important but not for us to talk meaningfully)
09:21:34 [JoeHallCDT]
… not the right people in the room
09:21:38 [JoeHallCDT]
… 3. Questions
09:21:39 [DThaler]
but we have a breakout session on it
09:21:52 [JoeHallCDT]
… is protecting against PM worth the risks?
09:22:07 [JoeHallCDT]
… confusing users, encouraging relatively trivial attacks
09:22:19 [JoeHallCDT]
… is the use of encryption without auth appropriate?
09:22:23 [wseltzer]
[the breakout could be about recoginizing the importance of UX/UI, not designing the interfaces right here]
09:22:30 [JoeHallCDT]
… is failing encryption silently appropriate?
09:22:42 [JoeHallCDT]
… are either appropriate for new protocols
09:23:00 [JoeHallCDT]
… are there alternate ways to overcome deploument issues of "full" encryption?
09:23:19 [JoeHallCDT]
… finally, what other work is impliated by ubiq-encrypt?
09:23:40 [JoeHallCDT]
SMB: let the games begin!
09:24:22 [JoeHallCDT]
Dave Crocker: would like to challenge a premise that was put forward twice
09:24:29 [JoeHallCDT]
… about getting confused for having more states for security
09:24:42 [JoeHallCDT]
… the assumption is with HTTPS that we don't already have a lot of confusion
09:24:48 [JoeHallCDT]
… users don't undersand HTTPS
09:24:58 [donnelly]
donnelly has joined #strint
09:25:03 [JoeHallCDT]
… we should stop using the word security… means too much and too little
09:25:33 [JoeHallCDT]
Larry Masinter: there's a gap b/w protecting against PM...
09:25:46 [JoeHallCDT]
… does OE help at all?
09:25:56 [JoeHallCDT]
Farrell: enc does help!
09:26:01 [JoeHallCDT]
Larry: not clear to me.
09:26:16 [JoeHallCDT]
… not clear to the vulnerable populations… mainly concerned about phishing or use of private info.
09:26:45 [JoeHallCDT]
… since this doesn't protect against active attacks
09:26:47 [wseltzer]
[even so, that doesn't mean we shouldn't protect the other parts of the population]
09:26:54 [JoeHallCDT]
… interferes with anonymizers
09:27:12 [JoeHallCDT]
@@: start with terminology
09:27:15 [dacheng]
dacheng has joined #strint
09:27:19 [dacheng]
dacheng has left #strint
09:27:22 [ldaigle]
ldaigle has joined #strint
09:27:22 [JoeHallCDT]
… when we talk about fail-safe, that's not right…
09:27:33 [JoeHallCDT]
… it's about do we succeed at all in getting encryption
09:27:47 [Ted_]
Ted_ has joined #strint
09:27:55 [cabo]
cabo has joined #strint
09:28:00 [JoeHallCDT]
@@@: there are more states in the world than auth/unauth
09:28:10 [JoeHallCDT]
09:28:10 [wseltzer]
s/@@/Max Pritkin/
09:28:25 [JoeHallCDT]
… having after-the-fact evidence of MITM is very valuable
09:28:26 [dacheng]
dacheng has joined #strint
09:28:48 [JoeHallCDT]
… we should rephrase this whole auth/noauth debate into what kind of evidence do you have that you're speaking to the right person?
09:28:56 [JoeHallCDT]
… not just a binary thing… much more nuanced
09:29:13 [JoeHallCDT]
Coop: cute setup!
09:29:25 [JoeHallCDT]
… user confusion is an issue but we can't talk about it?
09:29:40 [JoeHallCDT]
… very important as this problem is conceptualized too much about what will be exposed to users
09:29:51 [JoeHallCDT]
… no reason that OE can't be hidden entirely from users
09:29:54 [W3C]
W3C has joined #strint
09:29:59 [JoeHallCDT]
(lots of hear hears!)
09:30:15 [JoeHallCDT]
DKG: was going to say that as one point...
09:30:29 [JoeHallCDT]
… confusion is not possible to talk about without some UI discussion
09:30:42 [Ted_1]
Ted_1 has joined #strint
09:30:42 [JoeHallCDT]
… there are existing mechanisms that expose things like this… OTR is an example
09:30:57 [dka]
+1 to usability being a vital topic here.
09:31:01 [JoeHallCDT]
… also, the other axis… auth/anonymous… should be auth/no auth
09:31:31 [JoeHallCDT]
mnot: to be clear: not suggesting terminology that should exist past 10:30a GMT today
09:32:00 [JoeHallCDT]
Peter Resnick: want to reenforce that we really want to have no user exposing of the details at all
09:32:05 [JoeHallCDT]
… if they are seeing it, it's a mistake
09:32:22 [JoeHallCDT]
… to Larry's point, does not believe for a minute that this is not helpful in some way
09:32:33 [JoeHallCDT]
… claim is that this doesn't allow anonymizers to work is rubbish
09:32:41 [JoeHallCDT]
… now you fail in cleartext
09:32:55 [JoeHallCDT]
… would much rather have underlying encryption that helps users not be in the clar
09:33:02 [JoeHallCDT]
09:33:29 [JoeHallCDT]
Kenny Patterson: speaking on behalf of cryptography community (apologizes for that)...
09:33:37 [JoeHallCDT]
… OE has a very specific meaning in crypto community
09:33:44 [JoeHallCDT]
… very different from what we're talking about here
09:33:50 [JoeHallCDT]
… have no idea what to call it
09:34:08 [JoeHallCDT]
PHB: thinks that the term fail-silent may be confusing...
09:34:16 [JoeHallCDT]
… wants "succeed-silent"
09:34:37 [JoeHallCDT]
… wants there to be an IETF rule that there can be no "Do not talk about the UI" from henceforth
09:34:55 [JoeHallCDT]
… we already have OE… it's called Domain-validated certs without checking OCSP
09:35:08 [JoeHallCDT]
… all browsers do this for the sake of shaving ms off of latency
09:35:20 [BenL]
PHB is so right about succeed-silent
09:35:22 [JoeHallCDT]
… some folks are determined to make us secure only with low latency
09:35:41 [hildjj]
hildjj has joined #strint
09:35:44 [JoeHallCDT]
Steve Kent: with regard to use of pseudonymous creds, we do need to be careful
09:36:07 [JoeHallCDT]
… given the confusion with UI, we shouldn't assume [something]
09:36:29 [JoeHallCDT]
… things that encryption by default is not always a good thing, in net
09:36:49 [JoeHallCDT]
… the use of battery on mobile devices should be part of the discussino
09:37:03 [JoeHallCDT]
SMB: half of people have spoken that UI is iimportant
09:37:22 [JoeHallCDT]
(asks for a show of hands… rules that the overwhelming sense of the room is that it is important)
09:37:38 [JoeHallCDT]
Russ: many years ago, SMB and Russ wrote a draft about automated key mgmt
09:37:45 [alfredo]
alfredo has joined #strint
09:37:55 [JoeHallCDT]
… need a similar statement where if you have an environment that supports encryption, it should be on by default
09:38:15 [JoeHallCDT]
Rigo: want to insist that we should decouple encryption and auth
09:38:40 [JoeHallCDT]
… rigo's paper talks about how [something] is totally broken in auth across all protocols
09:38:48 [JoeHallCDT]
… wants a cognitive scientist to weigh in
09:39:03 [JoeHallCDT]
EKR: finds this discussion unmoored from reality
09:39:15 [JoeHallCDT]
… at the HTTP interim in Zurich we talked about this
09:39:38 [JoeHallCDT]
… encryption tied to an auth cred, although not authenticated encryption
09:39:54 [Ted_1]
One question that seems to be missed here: if the goal is to raise the cost to the attacker, does the inclusion of authentication increase those costs? The answer seems to me be yes, since it makes the cost of active attack much higher.
09:39:57 [JoeHallCDT]
… when it came down to what we really wanted to do… we foundered
09:40:05 [JoeHallCDT]
… some problems:
09:40:24 [JoeHallCDT]
… 1. on side there was concern that network environments are important
09:40:39 [JoeHallCDT]
… on the other side there were people that do not want encryption not tied to identity
09:40:58 [JoeHallCDT]
… when we provisionally agreed to do this, trying to do it in HTTP was very difficult
09:41:06 [JoeHallCDT]
… due to the interaction model and what servers can assume
09:41:17 [JoeHallCDT]
… huge gap between "that'd be nice" and how to get there
09:41:17 [BenL]
Ted_1: this is true, but its not always an available option
09:41:26 [JoeHallCDT]
mnot: doesn't think the discussion foundered
09:41:35 [JoeHallCDT]
… ruled out the absolutish perspectives
09:41:40 [JoeHallCDT]
… and are doing some testing
09:41:47 [JoeHallCDT]
… it's TBD
09:42:11 [wseltzer]
smb: We haven't foundered, we're becalmed
09:42:25 [JoeHallCDT]
Orit Levin: encryption helps with not only PM but a lot of other things
09:42:33 [Ted_1]
BenL: I agree, but if you are persuaded by the idea, then the question may be how to narrow the number of cases where it is not an available option and be transparent on the cases where it still is not.
09:42:46 [JoeHallCDT]
… while we're talking about OE and auth/noauth… how can we talk about it when we don't know what auth or noauth is?
09:43:03 [JoeHallCDT]
… there is a zoo of things in there
09:43:17 [JoeHallCDT]
… what do we mean by auth vs. noauth?
09:43:35 [JoeHallCDT]
Dan Appelquist: about usability
09:43:50 [kenny]
kenny has joined #STRINT
09:43:58 [JoeHallCDT]
… when engineers talk about users, they mix usability, UI, UX, etc.
09:44:04 [JoeHallCDT]
… they mix them all up
09:44:13 [JoeHallCDT]
… what we're talking about here is "user considerations" maybe
09:44:33 [JoeHallCDT]
… said well yesterday with "making it safe for users to buy stuff online"
09:44:43 [JoeHallCDT]
… it's about what we want them to understand about security and auth
09:44:53 [BenL]
Ted_1: right, so that's why PAKEs and OS-level password stores are important: often I already have a password-authenticated relationship with the other end - we can leverage that up to authenticated channels
09:45:18 [JoeHallCDT]
Dan again: dangerous to say that x protocol doesn't have a user
09:45:29 [JoeHallCDT]
… for email, the user is the person reading the email
09:45:30 [Ted_1]
BenL: agreed
09:45:32 [BenL]
btw, "authenticated channel" vs "authenticated encryption" might fix the cryptographer confusion problem
09:45:38 [JoeHallCDT]
… in IoT there are users connected by IoT
09:46:24 [JoeHallCDT]
Pete Resnick: with psuedonymous the assumption is that there is no encryption at the auth level
09:46:46 [JoeHallCDT]
… it's for the later step when you know what the connection is that you can name it something
09:47:06 [ldaigle]
ldaigle has joined #strint
09:47:14 [JoeHallCDT]
Wendy Seltzer: speaks in favor of incremental improvements
09:47:15 [rigo]
wseltzer: wants incremental improvements
09:47:36 [JoeHallCDT]
… can we recognize that encryption in the middle doesn't solve all problems but raises costs for the attacker
09:47:49 [JoeHallCDT]
… don't want this incremental to block further ones that might do an even better job
09:48:14 [JoeHallCDT]
… but because it doesn't solve all our problems, that's not a good excuse to not do it
09:48:26 [JoeHallCDT]
Pat McManus: spent the past 6 months deep in this for HTTP
09:48:47 [JoeHallCDT]
… unauth for HTTP URIs has a few very attractive properties and a few unattractive ones
09:49:02 [JoeHallCDT]
… the biggest pro is that it's a drop-in replacement
09:49:24 [JoeHallCDT]
… incentives have to be nontrivial to do things that are not so easy
09:49:39 [JoeHallCDT]
… making this plug-and-play is crucial
09:49:48 [JoeHallCDT]
… distinction between auth/unauth is not a binary one
09:50:00 [JoeHallCDT]
… pinning is an example of a stepping stone
09:50:16 [JoeHallCDT]
… has a FF build that does OE and alternate services
09:50:27 [JoeHallCDT]
… will tweet out a link if you'd like to play
09:50:49 [JoeHallCDT]
… neither Chrome nor Firefox will ship HTTP2 in an unencrypted fashion
09:51:01 [JoeHallCDT]
… may be forced to compete on cleartext HTTP2 protocol
09:51:27 [JoeHallCDT]
@@@@: with encrypting in the core...
09:51:39 [Ted_1]
s/@@@@/Melinda Shore/
09:51:39 [rigo]
09:51:41 [JoeHallCDT]
… on problem with UI, is that applications don't always know their security state
09:52:01 [JoeHallCDT]
… middlebox issues are getting short shrift
09:52:22 [JoeHallCDT]
… IETF/W3C are a bit disavantaged by not having network operators in the hizzy
09:52:28 [dcrocker]
dcrocker has joined #strint
09:52:31 [JoeHallCDT]
… they're a big deal.
09:53:03 [JoeHallCDT]
Eliot Lear: need to refine our threat model for middleboxes and OE
09:53:13 [JoeHallCDT]
… if there are specific actions that we should take, please state them.
09:53:30 [JoeHallCDT]
SMB: need to talk about the "trust model" of a middlebox environment
09:54:06 [JoeHallCDT]
Ted Robie: what's the user expectation when a TLS setup is interrupted...
09:54:15 [JoeHallCDT]
… one of the parties that doesn't know that is happening is the server
09:54:39 [JoeHallCDT]
… there can be parties that are not aware that they may not be talking to who they want to be talking to
09:54:57 [JoeHallCDT]
… one other point: for this threat model, what is it that accomplishes raising costs to attackers?
09:55:08 [JoeHallCDT]
… agrees with Wendy that we want to think incremental
09:55:28 [JoeHallCDT]
… there are a whole series of steps (e.g., TOFU) that go even further than just turning on enc
09:55:43 [JoeHallCDT]
… not getting caught is a bit part of the attacker considerations here
09:55:53 [JoeHallCDT]
… want to rais the attacker's costs as much as possible
09:56:05 [JoeHallCDT]
… will force more targeted surveillance/attacks
09:56:05 [DThaler]
09:56:16 [Ted_]
Ted_ has joined #strint
09:56:26 [JoeHallCDT]
Leslie Daigle: wants to come back to Dan A.'s point about how users feel...
09:56:36 [rigo]
rrsagent, please draft minutes
09:56:36 [RRSAgent]
I have made the request to generate rigo
09:56:37 [JoeHallCDT]
… worked for Verisign when it did certs and cared about auth email
09:56:44 [GregWood]
GregWood has joined #strint
09:57:03 [JoeHallCDT]
… how the user feels is not something we can do about with network/software engineering
09:57:31 [JoeHallCDT]
… we look at this unauth enc from what we can achieve and can we win with it
09:57:48 [JoeHallCDT]
… if we do anything that changes the user's state of mind… rathole.
09:58:17 [JoeHallCDT]
Steve Kent: it's not anon or pseudon enc, but keying...
09:58:26 [JoeHallCDT]
… it's the key mgmt that gets us into this situation
09:58:36 [JoeHallCDT]
… anonymous should be viewed in an accurate fashion…
09:58:46 [JoeHallCDT]
we're not asserting an identity so that you can't infer one
09:59:15 [JoeHallCDT]
… the problem with CAs/certs is that a pseudonymous auth and attack are not clearly distinguishable
09:59:39 [Ted_1]
Ted_1 has joined #strint
09:59:53 [JoeHallCDT]
DKG: of the folks taling about UI, everyone is talking about end user
10:00:01 [JoeHallCDT]
… there are other users… e.g., sysadmins
10:00:15 [JoeHallCDT]
… however we do this, the sysadmin will feel like they've done enough
10:00:43 [JoeHallCDT]
@@@@@: would like to raise a point for integrity...
10:00:58 [JoeHallCDT]
… he cares much more about integrity than surveillance
10:01:06 [wseltzer]
10:01:14 [JoeHallCDT]
… blocking an active attacker is very important for integrity
10:01:26 [JoeHallCDT]
… the OE schemes proposed are not enough to get strong integrity protections
10:01:36 [JoeHallCDT]
Kay Engert: doesn't like OE
10:01:53 [JoeHallCDT]
… thinks it should be called "blurring"
10:01:57 [JoeHallCDT]
… any encryption should use some sort of auth
10:02:06 [JoeHallCDT]
… we focus largely on the CA model
10:02:08 [wseltzer]
10:02:17 [JoeHallCDT]
… we should start to intro alternative forms of auth
10:02:40 [JoeHallCDT]
… what about submitting a key to a public block
10:02:55 [Ted_1]
I think he means "locker", not block
10:03:01 [Ted_1]
But I may misunderstand
10:03:10 [JoeHallCDT]
… email-validates self-signed certs are not a bad idea
10:03:19 [JoeHallCDT]
10:03:21 [BenL]
he said public log
10:03:32 [BenL]
like in CT
10:03:33 [Ted_1]
BenL: thanks for the clarification
10:03:34 [Melinda]
Melinda has joined #strint
10:03:34 [JoeHallCDT]
… encryption is only encryption if you've coupled it with some sort of auth
10:03:36 [JoeHallCDT]
10:04:00 [JoeHallCDT]
… user feedback that is really secure needs 2FA
10:04:31 [JoeHallCDT]
Hannes T: in IETF there are folks that hope that some types of encryption aren't deployed...
10:04:33 [grothoff]
s/???/Kai Engert/
10:04:41 [kaie]
kaie has joined #strint
10:05:06 [JoeHallCDT]
… some companies are selling boxes and wouldn't be happy with [encrypt everywhere]
10:05:42 [Pete]
Pete has joined #strint
10:05:46 [JoeHallCDT]
PHB: if we assume the adversary is disclosur-adverse… we don't need to validate creds before we complete transaction
10:06:01 [JoeHallCDT]
… if we can detect active attack subsequently, that's an important attacker consideration
10:06:27 [JoeHallCDT]
… what about checking only in, e.g., 1% of cases, we can likely deter an adversary from an active attack
10:06:41 [JoeHallCDT]
… as they wouldn't know if they're going to be detected
10:07:24 [JoeHallCDT]
Max Pritkin: we need to think more about the sysadmin experience
10:07:36 [wseltzer]
rrsagent, make minutes
10:07:36 [RRSAgent]
I have made the request to generate wseltzer
10:07:53 [JoeHallCDT]
… these are ways of offloading security from the end user to the sysadmin, that might help
10:08:11 [JoeHallCDT]
Linus tomberg: I think the auth/enc separation is very valuable for us
10:08:38 [JoeHallCDT]
SMB closes layering discussion for a bit later
10:08:40 [wseltzer]
10:08:53 [JoeHallCDT]
RLB: notion of TOFU has been raised...
10:09:01 [JoeHallCDT]
… wants to inject operational reality
10:09:23 [JoeHallCDT]
… everyone has run into an SSH server where the keys have changed
10:09:35 [JoeHallCDT]
… need some way of managing changes in keys for key continuity
10:09:43 [JoeHallCDT]
… we have a pinning draft that has matured in websec
10:09:51 [JoeHallCDT]
… not a lot of interest in deployment
10:10:09 [JoeHallCDT]
… there are risks in mismanaging pins and accidentally shut yourself off the internet
10:10:17 [JoeHallCDT]
… there are reall deployment concerns here
10:10:27 [wseltzer]
10:10:54 [JoeHallCDT]
SMB wants to focus discussion in a few areas:
10:11:06 [JoeHallCDT]
… layering, separating auth from enc
10:11:16 [JoeHallCDT]
… can't separate them cleanly
10:11:34 [ldaigle]
ldaigle has joined #strint
10:11:36 [JoeHallCDT]
Hannes: are we talking about handshake? or what?
10:11:46 [arobach]
arobach has joined #strint
10:12:02 [JoeHallCDT]
SMB: is hearing a lot of people saying let's separate how we do encryption with who is at the other end
10:12:15 [JoeHallCDT]
… do people think this is the right way to go? show of hands.
10:12:47 [JoeHallCDT]
(large but not overwhelming consensus… dispute on numbers)
10:13:10 [JoeHallCDT]
Farrell: Russ and Cullen disagreed
10:13:37 [JoeHallCDT]
Hannes says we do this now… people say that TLS doesn't do this
10:13:51 [JoeHallCDT]
mnot: this has implications for UI
10:13:55 [JoeHallCDT]
(room groans)
10:14:34 [JoeHallCDT]
Farrell: maybe "we should not be tightly binding methods for end point authentication with how we do encryption"
10:14:39 [JoeHallCDT]
(show of hands)
10:14:56 [JoeHallCDT]
Eliot lear: I'd like to see a discussion written down about it
10:15:11 [JoeHallCDT]
(hands had a lot of agreement with Farrell's statement"
10:15:33 [JoeHallCDT]
EKR: someone give me an example!
10:15:44 [JoeHallCDT]
SMB: unauth DHE to start the crypto and then you sign it later
10:16:07 [JoeHallCDT]
SMB: on to comprehension issue
10:16:19 [JoeHallCDT]
… what will people understand and how will this affect their behavior?
10:16:23 [JoeHallCDT]
… does it matter?
10:16:24 [rigo]
sftcd: CMS requires a serial number before you can encrypt
10:16:24 [BenL]
other example was CMS requires issuer and serial number
10:16:49 [JoeHallCDT]
… SMB doesn't know if his email server is using STARTTLS with any given recipient
10:17:13 [JoeHallCDT]
PDE: one thing from Crome team… can't do this, won't do this because people won't do real HTTPS
10:17:25 [JoeHallCDT]
SMB: we don't tell the users, we just do it
10:17:29 [JoeHallCDT]
(rabble rabble rabble)
10:17:43 [alfredo]
alfredo has joined #strint
10:17:46 [JoeHallCDT]
mnot: this is the admin experience
10:18:27 [JoeHallCDT]
Orit: it's not about the end-user or the sysadmin
10:18:39 [JoeHallCDT]
… we need to make clear among ourselves what we're talking about
10:18:39 [rigo]
rrsagent, please draft minutes
10:18:39 [RRSAgent]
I have made the request to generate rigo
10:19:07 [JoeHallCDT]
Farrell: folks clearly will write a terminology RFC
10:19:21 [JoeHallCDT]
SMB: another point that came up: who are the trusted parties/devices?
10:19:35 [JoeHallCDT]
… who is going to assert/vouch for identities
10:19:45 [JoeHallCDT]
Lear: this is an important question… session later
10:20:00 [JoeHallCDT]
SMB: finally, the cost of these issues is important
10:20:08 [JoeHallCDT]
… CPU, battery, comprehension costs
10:20:32 [JoeHallCDT]
Dave Crocker: the list you have of things we need to work on is great.
10:20:49 [JoeHallCDT]
… like that when we talk about actors involved, need to include users, sysadmins and us.
10:21:00 [JoeHallCDT]
… what about goals? What is the "this" that we're trying to accomplish
10:21:15 [JoeHallCDT]
SMB: talked yesterday about that, didn't want to raise it
10:21:23 [JoeHallCDT]
Aaron Kaplan: layering and costs are very important points
10:21:45 [JoeHallCDT]
… think about DNSSEC… good stuff, but big amplication factor in terms of DoS potential
10:22:02 [JoeHallCDT]
jari: voluntary adoption works best in this case
10:22:10 [JoeHallCDT]
… not forcing anyone to do anything
10:22:33 [JoeHallCDT]
Jon Peterson: interested in what happens if nobody knows if encryption happens… will this spread to other places
10:22:43 [JoeHallCDT]
… and what are the costs of that "slippery slope"
10:22:52 [JoeHallCDT]
… you will have huge sizes and latencies eventually
10:23:14 [BenL]
already happens with ECC, right? Ethernet has a checksum, so does IP, so does TLS...
10:23:25 [JoeHallCDT]
Steve Rogers: this can be difficult on a mobile network
10:23:33 [JoeHallCDT]
… especially with satellite backhaul
10:23:50 [grothoff]
BenL: you forgot TCP...
10:23:59 [JoeHallCDT]
Linus Nordberg: layres should deal with that
10:24:14 [JoeHallCDT]
Rogers: just want to acknowledge that these problems exist
10:24:32 [JoeHallCDT]
… solutions now do things like remove encryption to improve things in restricted environments
10:25:04 [JoeHallCDT]
PHB: we have a lot of companies with certs...
10:25:16 [Ted_1]
In an internetworking context, the presence of encryption on a particular path is not a guarantee that the encryption will continue to be present. Using at a layer that is not path dependent is required to retain confidence.
10:25:17 [JoeHallCDT]
… and they don't turn on SSL except for auth and check-out
10:25:29 [JoeHallCDT]
… in 1995 encryption was $$$
10:25:34 [dougm]
dougm has joined #strint
10:25:49 [JoeHallCDT]
… it's now cheap but we have remanants of these effects
10:26:40 [JoeHallCDT]
@@@@@@: are we saying that there are cases when authentication is not desirable?
10:26:46 [JoeHallCDT]
SMB: yes, that is in scope
10:27:11 [JoeHallCDT]
@@@@@@: what about making auth more ubiquituous?
10:27:18 [JoeHallCDT]
SMB: because it's particularly hard
10:27:39 [JoeHallCDT]
Dana: if the point is to protect against PM...
10:27:54 [JoeHallCDT]
… then we clearly want to encrypt as much as possible to avoid examination
10:27:55 [hhalpin]
hhalpin has joined #strint
10:28:20 [JoeHallCDT]
@@1: an encrypted web is a less-cacheable web
10:28:34 [JoeHallCDT]
… planes with satellite backhaul, the interplanetary web
10:28:56 [JoeHallCDT]
Lear: there are entire countries that rely on caching...
10:29:11 [rigo]
s/@@1/Dan Appelquist/
10:29:11 [JoeHallCDT]
… can't ignore it. Let's not dismiss it.
10:29:21 [JoeHallCDT]
Lear: Madagascar is one
10:29:33 [JoeHallCDT]
(talking about break-outs)
10:30:43 [JoeHallCDT]
Wendy: want an IRC channel for each of these
10:31:17 [wseltzer]
thanks, JoeHallCDT!
10:38:54 [wseltzer]
[breakouts in irc, subject to change: #research, #browser, #onbydefault, #measure, #opportunistic]
11:05:06 [JMC]
JMC has joined #strint
11:05:28 [npd]
npd has joined #strint
11:05:50 [jschlyter]
jschlyter has joined #strint
11:05:58 [dka]
dka has joined #strint
11:06:02 [hildjj]
hildjj has joined #strint
11:06:37 [cabo]
cabo has joined #strint
11:06:41 [wseltzer]
[discussion of breakouts]
11:06:57 [DThaler]
DThaler has joined #strint
11:07:07 [Pete]
Pete has joined #strint
11:07:26 [Satoshi]
Satoshi has joined #Strint
11:07:49 [mcmanus]
mcmanus has joined #strint
11:08:04 [Satoshi]
Thinking laterally, Why don't we just get the intel services to quiet down by giving them a copy of the Internet backup?
11:08:05 [PhilippeDeRyck]
PhilippeDeRyck has joined #strint
11:08:55 [Zakim]
Zakim has left #strint
11:10:02 [wseltzer]
scribenick: wseltzer
11:10:13 [wseltzer]
Topic: Metadata
11:10:15 [JoeHallCDT]
JoeHallCDT has joined #strint
11:10:22 [BenL]
wseltzer: you missed #client from the list of breakouts
11:10:22 [wseltzer]
Alfredo: What is metadata?
11:10:56 [kodonog]
kodonog has joined #strint
11:11:03 [wendyg]
wendyg has joined #strint
11:11:04 [dougm]
dougm has joined #strint
11:11:16 [grothoff]
metadata is the interesting data which is used to justify and execute drone strikes
11:11:25 [wseltzer]
... "everything that is not encrypted is metadata"?
11:11:45 [wseltzer]
... let's start there and get more precise
11:12:01 [hhalpin]
hhalpin has joined #strint
11:12:05 [wseltzer]
... additional data added to the encrypted payload, e.g., addressing information
11:12:18 [wseltzer]
... does identity need to be coupled with recipient address?
11:12:33 [wseltzer]
... side-channels, info disclosed by nature of the communication
11:12:38 [DThaler]
yeah can we please not use #browser (point yesterday was stuart's discussion is not limited to browser). #client is better.
11:12:45 [wseltzer]
... e.g. time, size, pattern
11:12:50 [grothoff]
Metadata is now a propaganda term used to change the discourse, adopting the language of the national security agencies means playing according to their rules.
11:13:08 [wseltzer]
DThaler, sure, amendment accepted. #client instead of #browser
11:13:42 [barryleiba]
barryleiba has joined #strint
11:14:05 [wseltzer]
Alfredo: metadata is widely available; encrypted variants are not widely deployed
11:14:16 [JoeHallCDT]
isn't that incorrect?
11:14:32 [JoeHallCDT]
aren't all consumer OSs not doing MAC-based IPv6
11:14:42 [wseltzer]
... Can we have transparent metadata protection?
11:14:52 [wseltzer]
... challening for efficient routing.
11:15:03 [wseltzer]
... With application cooperation?
11:15:24 [wseltzer]
... i.e., if application indicates sensitive or linkable information
11:15:31 [DThaler]
@joe: I don't know about "all" but certainly Windows isn't. And there's work in the IETF trying to either deprecate it or at least not use it by default, to match implementations
11:15:53 [wseltzer]
Alfredo: exploiting metadata
11:16:10 [wseltzer]
... browsed content, document flow
11:16:27 [JoeHallCDT]
thanks, Alissa has a blog from last year that points to other OSs too:
11:16:37 [wseltzer]
-> Slides
11:16:47 [DThaler]
11:16:51 [wseltzer]
s/Slides/Alfredo's slides/
11:16:53 [JoeHallCDT]
11:16:55 [dacheng]
dacheng has joined #strint
11:17:39 [drogersuk]
drogersuk has joined #strint
11:17:44 [wseltzer]
Alfredo: Federated communication
11:19:03 [wseltzer]
Ted_Hardie: Mitigations, a bit less hopeful than solutions
11:19:18 [wseltzer]
-> Ted's slides
11:19:38 [wseltzer]
Ted: Metadata in a flow, from the simple fact two parties are communicating
11:19:39 [pde]
pde has joined #STRINT
11:19:43 [DThaler]
@Joe: I checked the blog you pointed to and Alissa is talking about enabling privacy addresses. That doesn't mean nodes don't ALSO have mac-derived addresses.
11:19:53 [wseltzer]
... mitigations require a confidential channel
11:20:14 [wseltzer]
... not much use protecting the metadata on plaintext content
11:20:35 [wseltzer]
... Possible mitigations: aggregation, contraflow, multi-path
11:20:58 [wseltzer]
... raise the cost of pervasive surveillance
11:21:39 [wseltzer]
... If you have a tap on aggregate data, you know flow originates from pooling point, but not individual behind it without more expense
11:22:31 [JoeHallCDT]
ah, thank you, sir
11:23:34 [wseltzer]
... Contraflow. tunneling forces attacker to do more correlation
11:24:27 [wseltzer]
... Multipath. e.g. split tunnel VPN
11:24:50 [ldaigle]
ldaigle has joined #strint
11:26:15 [wseltzer]
... Design considerations. Make sure your protocol works inthe face of these mitigations
11:26:51 [wseltzer]
s/inthe/in the/
11:27:56 [wseltzer]
... combinaing mitigations may be better; consider how to avoid mitigation itself triggering scrutiny
11:28:01 [wseltzer]
... nothing is perfect
11:28:47 [bht]
bht has joined #strint
11:28:58 [wseltzer]
Alissa: Questions. Are there any low-hanging fruits?
11:29:16 [wseltzer]
... Distinction between hidiing identity attributes, other information
11:29:33 [rigo]
rrsagent, please draft minutes
11:29:33 [RRSAgent]
I have made the request to generate rigo
11:29:54 [askan]
askan has joined #strint
11:29:55 [wseltzer]
Achim: Terminology point
11:30:13 [wseltzer]
... metadata is technically data about data, but we're talking about first-class data
11:30:29 [wseltzer]
... it's unfortunate that we're confounding the terms
11:30:42 [wseltzer]
... In Europe, the legal system talks about traffic and location data
11:30:58 [wseltzer]
... I's data about people, of course it's worth protecting.
11:31:05 [wseltzer]
11:32:23 [wseltzer]
SpencerDawkins: It's not always obvious when we've achieved multicast. False diversity if all paths connect over the same fiber
11:32:30 [JCZuniga]
JCZuniga has joined #strint
11:32:41 [wseltzer]
... difficult to know whom you can ask, whom you can trust
11:33:04 [alfredo]
alfredo has joined #strint
11:33:22 [wseltzer]
GeorgeDanezis: I've spent 15 years studying traffic analysis, and recommend that we not re-invent the work of that research community
11:33:34 [DThaler]
I think s/multicast/multipath/ in spencer's point
11:33:49 [wseltzer]
... Useful here to discuss the different threats against which we can protect users
11:33:52 [akatlas]
akatlas has joined #strint
11:34:01 [dacheng]
dacheng has joined #strint
11:34:21 [Dp]
Dp has joined #Strint
11:34:22 [wseltzer]
... Design protocols not to have fixed bit strings that are unencrypted, that allow easy packet selection for analysis
11:34:47 [lear]
lear has joined #strint
11:35:24 [wseltzer]
CullenJennings: VPNs are expensive to run, so either you need to pay, or it's incredibly slow
11:35:52 [wseltzer]
... worried that there's a systematic attack in some places on for-pay VPN service
11:36:05 [wseltzer]
... so can we tie them to other services that are more painful to turn off
11:36:28 [wseltzer]
EliotLear: Who's the "you" in "if you have the data, you have the metadata"?
11:36:46 [wseltzer]
... different between a trusted aggregator and an attacker
11:36:58 [crypt]
crypt has joined #strint
11:37:28 [wseltzer]
LarryMasinter: Useful to distinguish explicit data from observed data
11:37:52 [donnelly]
donnelly has joined #strint
11:38:15 [GregWood]
GregWood has joined #strint
11:38:18 [wseltzer]
NickDoty: Low-hanging fruit, data-minimization isn't easy
11:38:40 [wseltzer]
... we might need to do the slow haul through protocols, to ask about each what data we can hide
11:39:12 [wseltzer]
... which attackers can we foil? e.g. in fingerprinting
11:39:28 [wseltzer]
BrianTrammell: Agree with both Nick and George
11:39:55 [bjoern]
bjoern has joined #strint
11:40:05 [wseltzer]
... much harder to fix timing observation than constant bit-strings
11:40:16 [vonlynX]
vonlynX has joined #strint
11:40:28 [wseltzer]
... timing is result of good engineering, for bandwidth and latency minimization
11:40:44 [wseltzer]
... if you want to change timing, you'll need to increase bandwidth and latentcy
11:40:53 [wseltzer]
... Split the two kinds of metadata
11:41:02 [wseltzer]
11:41:02 [vonlynX]
that's why i couldnt join this irc for an entire day... it DISALLOWS TLS!
11:41:52 [wseltzer]
vonlynX, sorry, we've raised the question with W3C systems
11:42:09 [wseltzer]
George: envelope information vs side-channels, perhaps
11:42:45 [wseltzer]
PeterEckersley: Can we get a write-up of the worst offenders, e.g. worst bit-strings, so we have a target for fixes
11:42:53 [wseltzer]
George: Happy to try
11:43:40 [wseltzer]
HarryHalpin: Traffic analysis is scary. Not everything has the latency constraints of HTTP.
11:44:07 [wseltzer]
... e.g. work on email
11:44:17 [wseltzer]
SteveKent: Avoid the term metadata
11:44:41 [wseltzer]
... traffic analysis: externally visible characteristics of communication once you've applied encryption
11:44:44 [BenL]
right, strong anonymity _requires_ high latency
11:44:50 [BenL]
or at least, not low latency
11:44:54 [wseltzer]
... what's visible is a function of at what layer you've applied the encryption
11:45:21 [vonlynX]
btw, nice how naturally w3c/ietf uses irc today... i remember the pains it took to convince ietf to publish "informational" rfcs on irc at a time when it was considered child play stuff
11:45:30 [wseltzer]
... Distinction makes threat-model consideration clearer
11:46:02 [wseltzer]
EricRescorla: There are opportunities for stripping some fat, explicit strings
11:46:16 [wseltzer]
... I'm skeptical that we can reduce traffic analysis
11:46:40 [wseltzer]
... and that we can avoid identifying the seekers of greater protection from traffic analyssis
11:47:39 [wseltzer]
Ted: It's true we've spent a lot of time on performance engineering, but where we've wanted confidential channels, we've been willing to spend bandwidth and latency on it
11:47:54 [wseltzer]
... so we should consider that tradeoff here
11:48:14 [wseltzer]
... We should be worried about impacting users in a way that makes them want to turn confidentiality off
11:48:36 [wseltzer]
... But consider that confidentiality requires both payload and traffic obfuscation
11:48:47 [wseltzer]
... That's a first-order engineering problem.
11:49:46 [wseltzer]
LinusNordberg: Security. @@ [scribe missed]
11:50:03 [wseltzer]
... Anonymity loves company. Sometimes we'll need to force people to opt in.
11:50:38 [Eliot]
Eliot has joined #strint
11:51:07 [wseltzer]
HarryHalpin: There are large communities who would want to opt-in to greater security/confidentiality.
11:51:38 [wseltzer]
Alissa: It's one question to say, "can we do something better for everyone," and another to ask "can we make solutions for those who want them."
11:52:13 [wseltzer]
Spencer: People who think PM matters may not be the same people who have to pay, right now.
11:52:32 [wseltzer]
... we're usually opt-in
11:53:02 [wseltzer]
DanielKahnGilmor: Crypto community has consensus that all crypto operations need to be constant-time
11:53:02 [hhalpin]
In particular, there are protocols where resistance to traffic analysis will be virtually impossible (HTTP/Web browsing due to its bursty nature), but there's *lots* of protocols (particularly server-side) in e-mail, chat, and even VOIP where this is likely possible but parameters and options for sysadmins are unknown/do not exist.
11:53:10 [wseltzer]
... there, we're willing to incur overheads
11:53:34 [wseltzer]
SteveKent: Concern/objection to all incurring expense to protect some users.
11:53:35 [hhalpin]
We should allow people who want to take on the overhead an ability to take that overhead on.
11:53:43 [hhalpin]
Right now with current protocols that is hard.
11:53:57 [hhalpin]
Part of it is a lack of research, which is beyond standardization.
11:54:14 [hhalpin]
However, there are some protocols (SMTP comes to mind) where this is low-hanging fruit.
11:55:02 [wseltzer]
KathleenMoriarty: Previously, split tunneling for performance, VPN for security; Interesting now to bring them together
11:55:21 [wseltzer]
... Leverage the expertise of the diverse set of experts we have here
11:56:06 [wseltzer]
HannesTschofening: Action items, I've heard from George that we should look for what identifying strings can be stripped.
11:56:39 [wseltzer]
Alissa: It would be good to have that journey informed by experience.
11:57:06 [wseltzer]
... When someone wants to add an identifier, they argue "so much else is exposed, I should be able to add this user-identifier."
11:57:23 [wseltzer]
... If you want to strip other strings, you'll need counter-argument to that.
11:57:37 [wseltzer]
... maybe PM-thinking helps, but it's an uphill battle.
11:57:44 [wendyg]
triangulation of data might be answer to arugment needed - tiny bits that match up and toegether expose a great deal. every time remove a bit makes it a little harder/
11:58:16 [wseltzer]
Farrell: Engage people with expertise, but if they come up with solutions the implementers don't care about...
11:58:55 [wseltzer]
LeslieDaigle: Not ready to be a strong proponent of aggregation or obfuscation, but also not ready to call them non-starters
11:59:16 [wseltzer]
... You never know when you'll need protection, so don't assume it's limited to helping a few
12:00:01 [wseltzer]
MarkDonnely: Re overhead, perhaps we can leverage existing privacy modes of Web browsers
12:00:23 [wseltzer]
... standardize the metadata-hiding functions and encourage browsers to implement in their protected-mode
12:01:30 [wseltzer]
NickDoty: Tragedy of the commons re: "I'm just adding one more identifier"; that's why it's useful to have coordinating bodies
12:02:00 [wseltzer]
... so W3C's Privacy Interest Group is trying to look across new protocols, entire ecosystem, to develop minimization that works
12:02:21 [wseltzer]
... So IETF, W3C, talk to us about systemic privacy and security reviewing.
12:02:42 [wseltzer]
Alissa: we're having a meeting Monday
12:03:04 [wseltzer]
PhilZimmerman: For a performance burden that's a small penalty, it's worth doing for everyone
12:03:16 [wseltzer]
... that argument was once made against TLS, now we're pushing it everywhere
12:03:26 [wseltzer]
... AES is now part of Intel's instruction-set
12:03:27 [ldaigle]
ldaigle has joined #strint
12:03:43 [wseltzer]
... We can justify some incremental penalty in the interest of protecting everyone
12:04:05 [wseltzer]
... even if only a small fraction regards it as critical to staying alive in an oppressive regime
12:04:41 [wseltzer]
DKG: We need to fix all the leaks, not point elsewhere to explain why we're not fixing our protocols.
12:04:50 [wseltzer]
... SNI, fix both TLS AND DNS leaks
12:05:01 [dacheng]
dacheng has joined #strint
12:05:16 [BenL]
in general, I hate the argument that we should not fix X because Y is also broken
12:05:26 [wseltzer]
Eliot: To PZ and Leslie, saying we can pay a penalty, who's "we"?
12:05:56 [wseltzer]
... @@missed
12:06:13 [hhalpin]
BTW, making sure "protected mode" actually makes sense and is an intersting possibility of future standardization if browser vendors have interest.
12:06:48 [wseltzer]
Alissa: We have anaction item for George,
12:07:06 [wseltzer]
... I like the idea of looking for an easy minimization opportunity.
12:07:23 [wseltzer]
Farrell: It would be even more interesting if implementers and deployers were interested
12:07:35 [wseltzer]
Ted: Corner StPeter and the XMPP community
12:08:29 [jphillips]
RFC 1149 is suitable for reducing traffic analysis. Perhaps by using anti-radar paint…
12:08:36 [wseltzer]
JoeHildebrand: XMPP has yet another series of addresses and metadata
12:08:50 [wseltzer]
... might be a good playground
12:08:59 [wseltzer]
... analogy to layer 3 issues, not perfect
12:09:01 [ldaigle]
ldaigle has joined #strint
12:09:16 [wseltzer]
hhalpin: Email communities
12:09:24 [DThaler]
1149 has good multipath properties. aggregation gets really difficult though.
12:09:31 [wseltzer]
... subsets thereof
12:09:51 [wseltzer]
... activist communities, providing email, specifically
12:09:53 [arobach]
arobach has joined #strint
12:10:44 [wseltzer]
[scribe misses some argumentation]
12:11:05 [wseltzer]
@@: start from scratch, rather than back-filling existing protocols
12:11:47 [wseltzer]
Alfredo: XMPP is interesting, because it has a live stream of information
12:12:02 [dougm]
In a competitive (price, performance, services, security) un-regulated market - these new security capabilities must win the competition with market sectors that matter.
12:12:29 [wseltzer]
Alissa: Some disagreement whether techniques are worth the cost. Ongoing discussion
12:12:39 [wseltzer]
12:12:45 [wseltzer]
rrsagent, make minutes
12:12:45 [RRSAgent]
I have made the request to generate wseltzer
12:13:01 [wseltzer]
Meeting: STRINT, Day 2
12:13:59 [wseltzer]
i/we're starting/Topic: Opportunistic Encryption
12:14:13 [wseltzer]
rrsagent, make minutes
12:14:13 [RRSAgent]
I have made the request to generate wseltzer
12:14:32 [vonlynX]
my intervention was, end-to-end/onion routed encryption is essential in the fight against visible transaction data and text-based syntaxes are quite unsuitable for simple band-aid fixes.. also the federation architecture isn't really useful to that aim.. we had discussions on the xmpp standards list and agreed that meta data protection is outside a reasonable scope for xmpp.
12:15:38 [wseltzer]
rrsagent, make minutes
12:15:38 [RRSAgent]
I have made the request to generate wseltzer
12:16:23 [vonlynX]
new communication technologies are propping up that achieve this goal already, people just have to use other software. it is low hanging fruit to improve those programs and protocols used in them. we keep a list of such technologies at
12:16:42 [jphillips]
jphillips has joined #strint
12:20:54 [ldaigle]
ldaigle has joined #strint
12:50:42 [mcmanus]
mcmanus has joined #strint
12:53:30 [jphillips]
jphillips has joined #strint
12:56:33 [AndChat|372521]
AndChat|372521 has joined #strint
12:58:38 [Ted_]
Ted_ has joined #strint
13:01:18 [Ted_1]
Ted_1 has joined #strint
13:01:19 [bht]
bht has joined #strint
13:03:26 [ldaigle]
ldaigle has joined #strint
13:05:35 [grothoff]
grothoff has joined #strint
13:05:51 [cabo]
cabo has joined #strint
13:06:34 [bht1]
bht1 has joined #strint
13:06:45 [pde]
pde has joined #STRINT
13:08:07 [npdoty]
npdoty has joined #strint
13:08:15 [alfredo]
alfredo has joined #strint
13:08:16 [dka]
dka has joined #strint
13:08:19 [PhilippeDeRyck]
PhilippeDeRyck has joined #strint
13:08:42 [kodonog]
kodonog has joined #strint
13:09:01 [kodonog]
I will
13:09:15 [Pete]
Pete has joined #strint
13:09:20 [kodonog]
Topic: Deployment
13:09:35 [vonlynX]
vonlynX has joined #strint
13:09:41 [wseltzer]
-> Deployment slides
13:09:44 [drogersuk]
drogersuk has joined #strint
13:09:59 [donnelly]
donnelly has joined #strint
13:10:00 [kodonog]
Eliot: (a few minutes missed...)
13:10:17 [kodonog]
... the snoopometer... a view of the attacker
13:11:09 [kodonog]
... sneakometer - using intermediaries as a defense mechanism
13:12:28 [Ted_]
Ted_ has joined #strint
13:12:55 [kodonog]
... aggregation examples
13:14:03 [kodonog]
... concentration versus distribution
13:14:34 [kodonog]
... spectrum of which service is more secure and more likely to be attacked
13:14:38 [alfredo_]
alfredo_ has joined #strint
13:14:48 [alfredo_]
alfredo_ has left #strint
13:15:24 [kodonog]
... stretch .. who is paying for the the extra paths, how are you paying in terms of quality of service
13:15:27 [Ted_1]
Ted_1 has joined #strint
13:15:31 [cheshire]
cheshire has joined #strint
13:16:54 [xm]
xm has joined #strint
13:16:57 [JoeHallCDT]
JoeHallCDT has joined #strint
13:17:07 [kodonog]
... key points -
13:17:16 [rigo]
has someone the streaming URI?
13:17:50 [kodonog]
@@@ One way forward, "interferable secure communications"?
13:18:02 [cabo]
Jan Seedorf
13:18:20 [kodonog]
... s/@@@/Jan Seedorf
13:18:44 [kodonog]
... need to look into new technologies the crypto community is developing
13:18:48 [sftcd_]
sftcd_ has joined #strint
13:18:57 [AndChat|372521]
13:19:01 [kodonog]
... makes good guys technically distinguishable from the bad guys
13:19:29 [rigo]
thanks AndChat|372521
13:20:16 [kodonog]
Joe Hildebrand: my paper talked about costs associated with middle boxes breaking services
13:20:29 [kodonog]
... middlebox folks don't get the support calls
13:20:38 [kodonog]
Eliot: Questions for the room
13:20:45 [hildjj]
hildjj has joined #strint
13:22:04 [kodonog]
... what knobs, what user interface issues, when is PS a good use of resources, can aggregation/concentration actually harm
13:22:19 [kodonog]
PHB: this is the deployment session and we aren't worrying about deployment
13:22:38 [ldaigle]
ldaigle has joined #strint
13:22:58 [kodonog]
... set of profiles that say this is how you lock down the network
13:23:05 [kodonog]
... enables auditing
13:23:18 [askan]
askan has joined #strint
13:23:36 [alfredo]
alfredo has joined #strint
13:24:12 [kodonog]
@@@ Gilmore: push back on the snoopometer slide... it is actually cheaper to collect everything
13:24:20 [kodonog]
... you have the pricing backwards
13:24:42 [hhalpin]
hhalpin has joined #strint
13:25:08 [kodonog]
Dave Thaler: economics today means this slide (snoopometer) is not true, it is more about what we would want it to be.
13:27:02 [kodonog]
Christian: PRISM program also shows that it is very cheap to get everything
13:27:33 [DThaler]
DThaler has joined #strint
13:27:53 [kodonog]
Cullen Jennings: differentiate between proxies that are ackowledged/approved of by one end or the other or both
13:27:58 [kodonog]
... generally don't cause issues
13:29:00 [kodonog]
... another category of ones that are not approved by either end and generally cause alot of problems
13:29:11 [kodonog]
Stephen: xmpp flag day in may
13:29:30 [kodonog]
... are there other communities doing something similar?
13:30:25 [DThaler]
13:30:31 [kodonog]
Spencer Dawkins: do people think that back to back user agents are enough of a special case ]]
13:30:50 [Ted_1]
Just to point out to Christian on the Prism revelations about Google:
13:30:50 [DThaler]
"The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. "
13:31:11 [kodonog]
steve Bellovin: don't much like middleboxes while acknowledging they are sometimes needed
13:31:29 [dougm]
dougm has joined #strint
13:31:51 [kodonog]
.... design the middlebox friendly version of this... that won't work with
13:33:20 [grothoff]
Ted_1: not giving "direct access" just means that there is a proxy involved. So what?
13:33:20 [kodonog]
Max Pritikin: that model that says in some situations middleboxes are ok only works when the server end knows its there
13:33:28 [kodonog]
... server needs to authenticate the client
13:33:49 [kodonog]
George: (missed comment)
13:34:02 [Ted_1]
+1 to Max's point; if *both* parties to a communication aren't aware of the middlebox, the party which is unaware may send traffic it would not if it weren't aware. So the server may have a policy not to send bank details to middleboxen (an entirely rational choice, if you don't know who is running the MiTM)
13:35:05 [JoeHallCDT]
JoeHallCDT has joined #strint
13:35:34 [kodonog]
EKR: browsers are implicit in this problem,
13:35:41 [vonlynX]
vonlynX has joined #strint
13:35:43 [Ted_1]
The Hotspot problem gets better with hotspot 2.0
13:35:55 [kodonog]
... until someone tells me how to make, i have no interest
13:36:14 [DThaler]
s/implicit/complicit/ in EKR's comment
13:36:16 [vonlynX]
I think middle boxes use cases can be solved differently: Enterprise policy can be implemented on the end devices. If you own the PC, you can bug it. Caching and optimizing mobile data can be solved by migrating users to a push model: With anonymous encrypted distribution trees
13:36:23 [vonlynX]
we bring information to each subscriber in an efficient and privacy-preserving way. It also makes it easier to route information around censoring nation state firewalls. Advertising: Whoops, wrong business model. Yet, homomorphic TLS is also an interesting approach.
13:37:06 [kodonog]
Resnick: third party that is giving the data and doesn't want to to share, that is the one I don't get
13:38:20 [kodonog]
Rigo: service concentration, need to be smarter by distributing more control in addition to the data
13:38:48 [rigo]
Rigo: service concentration: legal access to everything you control and gag order
13:39:09 [kodonog]
Jan Seedorf: web traffic acceleration is an example of a use case of interest
13:39:12 [rigo]
... distribution of data not sufficient, also distribution of control
13:40:15 [arobach]
arobach has joined #strint
13:40:36 [kodonog]
Peter Eckersley: agree with EKR that doing something about corporate MITM attacks against employees
13:40:57 [kodonog]
... we should try to do more about hotel networks and such
13:41:23 [kodonog]
... need to get rid of captive portal models
13:41:54 [npdoty]
pde, do we really want to encourage an arms race of captchas on captive portals?
13:42:06 [Ted_1]
For those not aware of 802.11u, the Hotspot 2.0 effort changes how a WiFi connectivity event will occur.
13:42:18 [kodonog]
Max Pritikin: client authentication lets the server make decisions
13:43:00 [kodonog]
... if there is going to be a MITM then we need to design for it
13:43:10 [kodonog]
Eliot: what I mean by aggregation
13:44:05 [kodonog]
... small service versus large service, # of users
13:44:55 [kodonog]
PHB: before we try to disable parts of the network we need to understand what these hotel portals are using
13:45:39 [kodonog]
PHB: web content impact on cacheing
13:46:16 [alfredo]
alfredo has joined #strint
13:46:21 [kodonog]
Patrick: horrible architecture that we want to implement
13:47:05 [kodonog]
... from the points in Joe Hildebrand's paper
13:49:12 [kodonog]
Jon Peterson: (scribe was distracted)
13:49:19 [vonlynX]
Then again, I am being told homomorphic crypto is computationally expensive and from my understanding none of the middle box use cases are compatible to how it operates, unless we reduce privacy (allow middle boxes to detect a request for a certain jpeg etc, which obviously means that the middle box knows which website you are going to). NSFP (not safe for pr0n).
13:49:34 [dacheng]
dacheng has joined #strint
13:50:03 [drogersuk]
drogersuk has joined #strint
13:50:28 [rigo]
oh, we are going back to PICS :) W3C had made POWDER to solve this middlebox problem for the Web
13:50:35 [npdoty]
s/(scribe was distracted)/there wasn't any subset of actions and configurations that middleboxes are willing to be limited to, and they don't mind having CALEA compliance as a result/
13:50:35 [kodonog]
Kathleen: can we eliminate malware, the root of the firewall problem, then we can flip this on its head
13:50:55 [kodonog]
DAve Crocker: as we make suggestions we should consider the risk of the suggestion
13:51:18 [kodonog]
... changing hotel portals is high risk
13:51:35 [kodonog]
... wrt knobs/levers, haveing an impact here is high risk
13:52:34 [kodonog]
Stephen: I really don;t want a knob that says I don't want to route via country A because it won't be effective
13:53:26 [kodonog]
Peter Eckersly: need to revisit the captive portal topic
13:53:57 [kodonog]
... dhcp is what it is and we need to build around it
13:54:30 [npdoty]
I think captive portals might be more amount branding / advertising / sending traffic than just boilerplate legal agreements
13:55:29 [kodonog]
Jan Seedorf: crypto could provide finer grains of control
13:55:58 [ldaigle]
ldaigle has joined #strint
13:56:08 [kodonog]
Barry: how do you know you are connected to the right captive portal
13:56:23 [npdoty]
npdoty has joined #strint
13:56:33 [npdoty]
rrsagent, pointer?
13:56:33 [RRSAgent]
13:56:54 [rigo]
rrsagent, please draft minutes
13:56:54 [RRSAgent]
I have made the request to generate rigo
13:57:27 [kodonog]
EKR: every time we try to wall things off from the middle boxes they find a way around it
13:58:14 [npdoty]
http 511 code is defined here:
13:58:48 [kodonog]
David Thaler: maybe we can do something to solve the captive portal
13:59:57 [npdoty]
doesn't the 511 status code help us with this problem? the status code tells you that this is a redirect because of captive portal authentication required
14:00:15 [pde]
pde has joined #STRINT
14:00:48 [kodonog]
(another scribe failure)
14:01:05 [hildjj]
hildjj has joined #strint
14:01:18 [alfredo]
alfredo has joined #strint
14:01:42 [kodonog]
Hannes: standards that have a little bit more system nature
14:02:27 [wseltzer]
14:02:33 [wseltzer]
Topic: Breakouts
14:04:05 [jphillips]
Sounds like Phil brought a rotary telephone while waiting for his Darkphone.
14:11:39 [CB]
CB has joined #strint
14:22:30 [cabo]
cabo has joined #strint
14:23:10 [cheshire]
cheshire has joined #strint
14:26:26 [jphillips]
jphillips has joined #strint
14:29:22 [jphillips2]
jphillips2 has joined #strint
14:32:42 [cabo]
cabo has joined #strint
14:32:58 [hildjj]
hildjj has joined #strint
14:33:26 [wendyg]
wendyg has joined #strint
14:35:57 [alfredo]
alfredo has joined #strint
14:36:16 [bht]
bht has joined #strint
14:36:37 [wseltzer]
[breakouts in irc: #research, #client, #onbydefault, #measure, #opportunistic]
14:36:46 [JoeHallCDT]
JoeHallCDT has joined #strint
14:36:52 [npdoty]
npdoty has joined #strint
14:38:35 [drogersuk]
drogersuk has joined #strint
14:38:43 [arobach]
arobach has joined #strint
14:39:06 [dougm]
dougm has joined #strint
14:39:40 [donnelly]
donnelly has joined #strint
14:44:14 [Eliot]
Eliot has joined #strint
14:45:02 [oleg]
oleg has joined #strint
14:45:55 [dka]
dka has joined #strint
14:47:19 [ldaigle]
ldaigle has joined #strint
14:54:12 [dougm]
dougm has joined #strint
14:56:29 [hhalpin]
hhalpin has joined #strint
15:01:01 [mcmanus]
mcmanus has joined #strint
15:02:40 [freewill]
freewill has joined #strint
15:02:45 [hildjj]
hildjj has joined #strint
15:03:06 [freewill]
hi everyone
15:03:24 [JoeHallCDT]
(in break-out sessions, so not a lot of action here)
15:04:10 [freewill]
unfortunately I could not join earlier today
15:04:32 [JoeHallCDT]
back on in this one at 16:00 GMT
15:04:52 [freewill]
yes just checked the agenda
15:07:14 [JoeHallCDT]
might be 15:30, actually
15:07:18 [JoeHallCDT]
(we're a bit early)
15:21:32 [Ted_]
Ted_ has joined #strint
15:24:12 [Ted_1]
Ted_1 has joined #strint
15:24:37 [arobach]
arobach has joined #strint
15:29:32 [dka]
dka has joined #strint
15:32:34 [alfredo]
alfredo has joined #strint
15:34:29 [hildjj]
hildjj has joined #strint
15:34:51 [pde]
pde has joined #STRINT
15:36:42 [Ted_]
Ted_ has joined #strint
15:39:32 [Ted_1]
Ted_1 has joined #strint
15:47:27 [alfredo]
alfredo has joined #strint
15:52:56 [hildjj]
hildjj has joined #strint
15:55:02 [pde]
pde has joined #STRINT
15:55:19 [cabo]
cabo has joined #strint
16:00:21 [mcmanus]
mcmanus has joined #strint
16:01:59 [freewill]
audio down also for you?
16:04:03 [mcmanus]
mcmanus has joined #strint
16:04:52 [bht]
bht has joined #strint
16:08:00 [wseltzer]
freewill, we're still on breakouts/break
16:10:23 [freewill]
wseltzer: okay another break
16:10:28 [drogersuk]
drogersuk has joined #strint
16:10:36 [freewill]
16:10:52 [jphillips]
There is a lot of cake. We need all the breaks.
16:11:05 [freewill]
hehe enjoy
16:12:24 [freewill]
beam me up jphillips
16:13:05 [jphillips]
Negative, Heisenberg compensator is still not operational.
16:14:30 [hildjj]
hildjj has joined #strint
16:15:07 [Ted_]
Ted_ has joined #strint
16:16:14 [npdoty]
npdoty has joined #strint
16:16:23 [wseltzer]
16:16:28 [PhilippeDeRyck]
PhilippeDeRyck has joined #strint
16:16:31 [wseltzer]
thanks to npdoty and JoeHallCDT for scribing breakouts!
16:16:39 [wseltzer]
Topic: Report back from breakouts
16:16:57 [wseltzer]
scribenick: wseltzer
16:17:09 [wseltzer]
Cheshire: Good discussion, a few highlights
16:17:27 [wseltzer]
... Separate cases: Captive portals, Misconfigurations
16:17:38 [wseltzer]
... Third case, self-signed certs. Browser can tell the difference
16:17:57 [ldaigle]
ldaigle has joined #strint
16:18:09 [wseltzer]
... Loose consensus, already a W3C mailing list
16:18:34 [wseltzer]
... Can implementors do something like World IPv6 Day,
16:18:47 [pde]
pde has joined #STRINT
16:18:48 [Ted_1]
Ted_1 has joined #strint
16:19:03 [wseltzer]
... where it's clear that no one browser is "broken," but rather the security of websites is being improved
16:19:10 [Ak]
Ak has joined #strint
16:19:17 [wseltzer]
-> Client breakout notes
16:19:22 [alfredo]
alfredo has joined #strint
16:19:50 [Ted_1]
Was it
16:19:59 [Ted_1]
for the mailing list at w3c?
16:20:02 [freewill]
about encrypted network, is anyone mentioned today that the use of mixing techniques and multi-hop transmission of data must be the norm nowadays for the end user?
16:20:09 [wseltzer]
Kaplan: Aggregation/measurement
16:20:16 [wseltzer]
16:20:29 [wseltzer]
16:20:42 [wseltzer]
Kaplan: look at the problem at layer 7 and above
16:20:59 [wseltzer]
... Testing and measurement; we tried to identify existing groups and interesting tests
16:21:27 [vonlynX]
vonlynX has joined #strint
16:21:28 [mcmanus]
mcmanus has joined #strint
16:21:40 [wseltzer]
... SSLlabs
16:21:48 [wseltzer]
... how to protect testing data?
16:22:06 [wseltzer]
... gamification as an approach to spur improvement
16:22:51 [wseltzer]
Paterson: We talked about research, not about clean-slate
16:23:17 [wseltzer]
... Meta challenge in relationship between academics and standards bodies
16:23:43 [wseltzer]
... Specific action to bring research on linakbility to attention of IETF, on Linus
16:24:00 [wseltzer]
... Specific problems in need of research, non-exhaustive
16:24:12 [wseltzer]
... CRIME-inspired; interaction of compression and encryption
16:24:22 [wseltzer]
... Pro-active algorithm deprecation
16:24:53 [wseltzer]
... Return-oriented crypto; make existence and traffic stealthy
16:25:05 [wseltzer]
... Continued guidance on algo selection
16:25:42 [wseltzer]
... Efficient PIR
16:25:56 [wseltzer]
.... Metrics for obfuscation of code and data
16:26:11 [wseltzer]
... Specific research in search of applications:
16:26:15 [npdoty]
s/PIR/Private Information Retrieval (PIR)/
16:26:29 [wseltzer]
... Limited-interference secure communications
16:26:35 [wseltzer]
.... Format-transforming ncryption
16:26:43 [wseltzer]
... clean-slate designs using DHTs
16:26:53 [wseltzer]
... insider threat models
16:27:28 [DThaler]
DThaler has joined #strint
16:27:51 [wseltzer]
SteveKent: Opportunistic
16:28:02 [cheshire]
cheshire has joined #strint
16:28:05 [wseltzer]
... Preferred term "opportunistic keying"
16:28:12 [wseltzer]
... focus on passive attack model
16:28:27 [wseltzer]
... Start with DH/ECH for PFS (perfect forward secrecy)
16:28:55 [wseltzer]
... fall back to plain text, or escalate to authenticated (in parallel?)
16:29:14 [wseltzer]
... Invisible to users, so they don't think it's replacement for HTTPS
16:29:45 [wseltzer]
... report to server? "I tried to contact you using opportunistic keying but couldn't reach you"
16:29:51 [hhalpin]
hhalpin has joined #strint
16:30:02 [wseltzer]
... Threat model: pervasive monitoring, passive attack
16:30:27 [wseltzer]
... understand middleboxes, which layers they're operating
16:31:00 [Jiangshan]
Jiangshan has joined #strint
16:31:15 [wseltzer]
... this is not a replacement for HTTPS TLS paradigm, explicitly note that in Security Considerations
16:32:00 [wseltzer]
Resnick: How does escalate-to-authenticated interact with no UI?
16:32:08 [wseltzer]
Kent: possibly lock icon
16:33:30 [wseltzer]
EKR: @@ middleboxes
16:33:50 [ldaigle]
16:34:17 [wseltzer]
... user-experience, if fall-back is slow, how does the experience suffer?
16:34:47 [wseltzer]
Kent: Possible parallel start for plaintext
16:35:30 [wseltzer]
@@: Discussed in the client session too; need something below the application to provide a uniform interface
16:35:50 [wseltzer]
... Might be something to raise in transport-services BOF
16:36:10 [wseltzer]
Turner: #onbydefault
16:36:22 [wseltzer]
-> #onbydefault minutes
16:36:44 [wseltzer]
Turner: More than MTI/on by default = MTU
16:36:53 [wseltzer]
... Legacy: On by default but off is available
16:37:15 [wseltzer]
... New protocols: put your best foot forward, if you can't, fall back
16:37:34 [wseltzer]
... need WG guidance
16:37:47 [wseltzer]
EKR: what would you expect HTTP2 to do?
16:38:23 [wseltzer]
Turner: New protocols: 1/ where you can do auth encryption, do it
16:38:30 [wseltzer]
... 2/ if not, do unaut encryption / OE
16:38:41 [wseltzer]
... 3/ need to indicate up the stack which level was negotiated
16:39:01 [wseltzer]
... 4/ Need WG guidance!
16:39:41 [wseltzer]
Turner: Past Security ADs should write such guidance
16:40:28 [wseltzer]
@@: Also people who understand applications
16:41:06 [wseltzer]
Ted: WG guidance is a lovely thing, but WGs are a tiny fraction of those needed for deployment
16:41:14 [wseltzer]
... We need marketing.
16:41:45 [wseltzer]
... call upon the IETF chair, who just put his hand up.
16:41:55 [wseltzer]
Jari: I wasn't actually volunteering...
16:42:22 [wseltzer]
... IETF will discuss, through normal process
16:42:49 [wseltzer]
Turner: Russ volunteered, I volunteered
16:43:14 [wseltzer]
Farrell: Thanks!
16:43:17 [npdoty]
Eliot volunteering to write; Jari volunteering to blog
16:43:38 [wseltzer]
... Thanks to DKA and Telefonica for hosting! [applause]
16:43:46 [wseltzer]
... Summary:
16:44:08 [wseltzer]
... Crypto works, do more, raise the bar; not free but worthwhile
16:44:23 [wseltzer]
... Data minimization is worthwhile but hard
16:44:33 [wseltzer]
... Threat model-> RFC
16:44:48 [barryleiba]
barryleiba has left #strint
16:44:54 [wseltzer]
... Opportunistic keying definition and mechanism cookbook -> RFC
16:45:35 [wseltzer]
... Policy: tech community could do better to explain PM
16:45:47 [wseltzer]
... UI issues not out of scope
16:45:57 [wseltzer]
... gamification,
16:46:22 [wseltzer]
... easier security configuration
16:46:29 [wseltzer]
... can we improve captive portals?
16:46:46 [wseltzer]
... add a new RFC to BCP 72 re pervasive monitoring; we're not there yet
16:46:57 [wseltzer]
... but should be working toward it
16:47:26 [wseltzer]
Juan-Carlos Zuniga: IEEE, this was useful to other communities as well
16:47:45 [ldaigle]
ldaigle has joined #strint
16:47:55 [wseltzer]
... we're willing to communicate 802, link-layer, SSIDs
16:48:30 [hhalpin]
For discussion of hard fail and browser cert problems, see
16:48:36 [mcmanus]
mcmanus has joined #strint
16:48:38 [wseltzer]
Cheshire: Thanks Stephen, Hannes, Rigo, and all PC [Applause]
16:48:54 [wseltzer]
16:48:56 [hhalpin]
just email "subscribe" to
16:48:59 [wseltzer]
rrsagent, make minutes
16:48:59 [RRSAgent]
I have made the request to generate wseltzer
16:49:12 [ldaigle]
ldaigle has left #strint
17:07:00 [freewill]
freewill has left #strint
17:10:06 [pde]
pde has joined #STRINT
17:13:44 [azet]
azet has left #strint
17:20:46 [npdoty]
npdoty has joined #strint
17:36:47 [dka]
dka has joined #strint
18:27:06 [cabo]
cabo has joined #strint
19:19:16 [pde]
pde has joined #STRINT
19:22:40 [cabo]
cabo has joined #strint
20:36:21 [mcmanus]
mcmanus has joined #strint
21:42:16 [Ted_]
Ted_ has joined #strint
22:02:48 [Ted_]
Ted_ has joined #strint
22:05:23 [npdoty]
npdoty has joined #strint
22:21:58 [dcrocker]
dcrocker has joined #strint
22:22:42 [Ted_]
Ted_ has joined #strint
22:23:09 [dcrocker]
dcrocker has left #strint
22:47:54 [cabo]
cabo has joined #strint
23:34:47 [hildjj]
hildjj has joined #strint